WordPress Plugin Vulnerability in GiveWP Plugin Endangers over 100,000 Websites
An extreme vulnerability has been revealed in the WordPress GiveWP donation and fundraising extension that places over 100,000 websites at risk of remote code execution attacks.
Categorized as CVE-2024-5932 (CVSS score: 10.0), this flaw affects all plugin versions before 3.14.2, which came out on August 7, 2024. A security researcher known as villu164 discovered and reported this critical security issue.
The plugin is susceptible to PHP Object Injection in versions up to 3.14.1 through the deserialization of untrusted input from the ‘give_title’ parameter, as highlighted by Wordfence in a recent report.
“This vulnerability enables unauthenticated attackers to introduce a PHP Object. The presence of a POP chain provides attackers a way to remotely execute code and delete arbitrary files,” as stated by Wordfence.
The vulnerability originates from a function named “give_process_donation_form(),” responsible for validating and sanitizing entered form data before forwarding the donation details, including payment information, to the chosen gateway.
The successful exploitation of this vulnerability could empower an authenticated malicious actor to execute malevolent code on the server. Thus, it is crucial for users to update to the latest version to prevent exploitation.
This revelation follows Wordfence’s recent details on another severe security flaw in the InPost PL and InPost for WooCommerce WordPress plugins (CVE-2024-6500, CVSS score: 10.0), allowing unauthenticated adversaries to read and delete arbitrary files, including the wp-config.php file.
On Linux systems, exclusively files inside the WordPress install directory can be erased, while all files can be read. The issue has been fixed in version 1.4.5.
Another significant weakness was found in JS Help Desk, a WordPress plugin with over 5,000 active installations (CVE-2024-7094, CVSS score: 9.8), which permits remote code execution due to a PHP code injection vulnerability. The vulnerability received a patch in version 2.8.7.
The list of other security vulnerabilities addressed in various WordPress plugins is detailed below –
- CVE-2024-6220 (CVSS score: 9.8) – An arbitrary file upload flaw in the 简数采集器 (Keydatas) plugin allowing unauthenticated intruders to upload any files to the site server, which eventually leads to code execution
- CVE-2024-6467 (CVSS score: 8.8) – An arbitrary file read flaw in the BookingPress appointment booking plugin enabling authenticated attackers with Subscriber-level access or above to produce arbitrary files, execute code, or access sensitive content
- CVE-2024-5441 (CVSS score: 8.8) – An arbitrary file upload flaw in the Modern Events Calendar plugin allowing authenticated attackers with subscriber access and above to upload arbitrary files to the site server for code execution
- CVE-2024-6411 (CVSS score: 8.8) – A privilege escalation flaw in the ProfileGrid – User Profiles, Groups and Communities plugin enabling authenticated attackers with Subscriber-level access and higher to upgrade their user capabilities to those of an Administrator
Securing against these vulnerabilities is paramount to shield against attacks aiming to deploy credit card skimmers that can extract financial data provided by site visitors.
Last week, Sucuri highlighted a skimmer campaign affecting PrestaShop e-commerce websites by injecting them with malicious JavaScript that leverages a WebSocket connection to pilfer credit card details.
The website security company under GoDaddy has cautioned WordPress site owners against using nulled plugins and themes, warning that they could serve as gateways for malware and other illicit actions.
“Ultimately, sticking to legitimate plugins and themes is essential for responsible website management, and security should never be compromised for convenience,” as stated by Sucuri.
About Author
