Cross Site Request Forgery

Torbjorn_Lien · November 8, 2023, 12:47pm

I have several WP sites running the Patreon plugin, and in the last couple of days all have warned me about a vulnerability to Cross Site Request Forgery in the latest version (1.8.6). When will this issue be fixed?

codebard · November 13, 2023, 10:11pm

Can you dm me the exact warning.

bdonovanw · November 13, 2023, 10:17pm

Wordfence just flagged this plugin for this vulnerability, too.

Torbjorn_Lien · November 14, 2023, 12:36pm

codebard · November 14, 2023, 6:59pm

It looks like this listing was because some actions are lacking nonces. Potentially someone can socially engineer someone who is an admin to submit a form etc. Will be fixed in the next few days.

bdonovanw · November 24, 2023, 10:31pm

Wordfence is flagging even the updated version as being subject to this forgery, and was updated today to reflect this vulnerability:

codebard · November 27, 2023, 11:07pm

Thanks for reporting. Will check it out.

Torbjorn_Lien · November 28, 2023, 11:25am

Same here. New warning on my sites. Hope you can fix this.

codebard · December 7, 2023, 11:07am

This would have been fixed some time ago.

Topic		Replies	Views
[Mostly Resolved] WordPress Plugin 204 & 401 Errors; Post Sync Issues Wordpress Plugin	17	2159	July 7, 2020
Response code: 401 Wordpress Plugin	28	2211	December 7, 2021
401 Error he server could not verify that you are authorized to access the URL requested API Feedback	2	2958	February 21, 2020
PHP errors in logs patreon_oauth.php Wordpress Plugin	2	646	October 21, 2018
Excessive requests to /patreon-webhooks Wordpress Plugin	6	200	December 19, 2023

Cross Site Request Forgery

Related Topics