A severe security vulnerability has been identified in the GiveWP donation and fundraising plugin for WordPress, which puts more than 100,000 websites at risk of remote code execution attacks.
This flaw, officially tracked as CVE-2024-5932 with a perfect CVSS score of 10.0, affects all plugin versions prior to 3.14.2. The vulnerability was reported by a security researcher known as villu164, leading to a necessary update released on August 7, 2024.
The vulnerability stems from a PHP Object Injection issue via the ‘give_title’ parameter, as described in a recent report. This flaw allows unauthorized attackers to inject a PHP Object, which, when combined with a POP chain, enables the execution of remote code and the deletion of arbitrary files.
The root of the issue lies within the “give_process_donation_form()” function, responsible for validating and sanitizing form data before sending donation information to the specified payment gateway.
If exploited successfully, this vulnerability could allow an authenticated threat actor to run malicious code on the server. It is therefore critical for users of the GiveWP plugin to update to the latest version immediately.
This disclosure follows a recent report of another serious security flaw in the InPost PL and InPost for WooCommerce WordPress plugins (CVE-2024-6500, CVSS score: 10.0), which similarly allows unauthorized attackers to read and delete arbitrary files, including the crucial wp-config.php file. Although on Linux systems only files within the WordPress install directory can be deleted, any file can be read. This issue has been addressed in version 1.4.5.
Additionally, another vulnerability (CVE-2024-7094, CVSS score: 9.8) was found in the JS Help Desk plugin, used by over 5,000 active installations, that enables remote code execution due to a PHP code injection flaw. A fix has been implemented in version 2.8.7.
Other recently resolved security issues in various WordPress plugins include:
– CVE-2024-6220 (CVSS score: 9.8): An arbitrary file upload vulnerability in the Keydatas plugin, enabling unauthorized attackers to upload files and execute code on the server.
– CVE-2024-6467 (CVSS score: 8.8): An arbitrary file read flaw in the BookingPress plugin, allowing authenticated users to create files, execute arbitrary code, or access sensitive information.
– CVE-2024-5441 (CVSS score: 8.8): An arbitrary file upload flaw in the Modern Events Calendar plugin, allowing authenticated users to upload files and execute code.
– CVE-2024-6411 (CVSS score: 8.8): A privilege escalation flaw in the ProfileGrid plugin, enabling authenticated users to elevate their privileges to Administrator level.
Applying patches for these vulnerabilities is vital to protect against potential attacks that could lead to the installation of credit card skimmers, capable of capturing sensitive financial data from site visitors.
To prevent exploitation of the vulnerability in the WordPress GiveWP plugin, it’s crucial to update to the latest version (3.14.2 or higher) immediately. Regularly monitor your plugins for updates and apply them promptly to close security gaps.
Additionally, implement strong access controls and consider using a web application firewall (WAF) to detect and block malicious activities. Regularly backup your website and review security logs to spot any suspicious behavior early.