An ultimate-severity security issue has been unveiled in the WordPress GiveWP donation and fundraising plugin, exposing over 100,000 websites to remote code execution threats.
The vulnerability, identified as CVE-2024-5932 (CVSS score: 10.0), affects all plugin versions preceding version 3.14.2, which was published on August 7, 2024. Credited with detecting and reporting the problem, a security researcher under the online pseudonym villu164 brought it to light.
The plugin is “susceptible to PHP Object Injection across all variants up until, and including, 3.14.1 through deserialization of untrusted data from the ‘give_title’ parameter,” as per a report this week from Wordfence mentioned.
“This permits unauthenticated assailants to introduce a PHP Object. The existence of a POP chain additionally empowers assailants to execute code remotely and delete arbitrary files.”
The flaw can be traced back to a function named “give_process_donation_form(),” employed to validate and sanitize the submitted form data before transferring the donation details, encompassing payment particulars, to the specified gateway.
Successful exploitation of this vulnerability could empower an authenticated malicious actor to execute malevolent code on the server, necessitating users to promptly update to the most recent version.
This revelation follows shortly after Wordfence also outlined another crucial security weakness present in the InPost PL and InPost for WooCommerce WordPress plugins (CVE-2024-6500, CVSS score: 10.0), enabling unauthenticated malevolent actors to peruse and erase arbitrary files, including the wp-config.php file.
For Linux systems, solely files within the WordPress installation directory can be eliminated, while the ability to read all files remains. The patch has been implemented in version 1.4.5.
Furthermore, an additional critical flaw in JS Help Desk, a WordPress plugin boasting over 5,000 active installations, has also been discovered (CVE-2024-7094, CVSS score: 9.8), leading to remote code execution due to a PHP code injection flaw. A fix for this vulnerability is available in version 2.8.7.
Various other security vulnerabilities rectified in diverse WordPress plugins include –
- CVE-2024-6220 (CVSS score: 9.8) – An arbitrary file upload weakness in the 简数采集器 (Keydatas) plugin allowing unauthenticated attackers to upload arbitrary files on the server, potentially leading to code execution
- CVE-2024-6467 (CVSS score: 8.8) – An arbitrary file read vulnerability in the BookingPress appointment booking plugin enabling authenticated attackers with Subscriber-level access and above to create arbitrary files, execute arbitrary code, or access sensitive data
- CVE-2024-5441 (CVSS score: 8.8) – An arbitrary file upload flaw in the Modern Events Calendar plugin allowing authenticated attackers with subscriber access and above to upload arbitrary files on the server and execute code
- CVE-2024-6411 (CVSS score: 8.8) – A privilege escalation flaw in the ProfileGrid – User Profiles, Groups and Communities plugin enabling authenticated attackers with Subscriber-level access and above to enhance their user capabilities to that of an Administrator
In defending against assaults capitalizing on these vulnerabilities to disseminate credit card skimmers for collecting financial data from website visitors, patching is deemed essential.
Recently, Sucuri illuminated a skimmer campaign affecting PrestaShop e-commerce sites by adding malevolent JavaScript utilizing a WebSocket connection to pilfer credit card particulars.
The WordPress site security company owned by GoDaddy also cautioned WordPress site owners from installing pirated plugins and themes, emphasizing the potential for such actions to serve as a conduit for malware and other illegitimate activities.
“Ultimately, adhering to genuine plugins and themes stands as a crucial part of responsible website administration, and security should never be compromised for the sake of expediency,” Sucuri elaborated.
About Author
