A critical security vulnerability has been discovered in the popular WordPress plugin GiveWP, potentially putting over 100,000 websites at risk. The flaw, identified as CVE-2024-5932 with a maximum severity CVSS score of 10.0, affects all versions of the plugin up to and including 3.14.1.
Security researcher villu164 responsibly reported the vulnerability through the Wordfence Bug Bounty Program, earning a substantial bounty of $4,998 for the discovery. The vulnerability was disclosed to the plugin developers on June 13, 2024, and after a period of non-response, it was escalated to the WordPress.org Security Team on July 6, 2024.
The vulnerability is classified as an unauthenticated PHP Object Injection that can lead to Remote Code Execution (RCE). It stems from the improper handling of user input in the 'give_title' parameter, which allows attackers to inject malicious PHP objects.
The presence of a POP (Property Oriented Programming) chain within the plugin further exacerbates the issue, enabling attackers to execute arbitrary code remotely and delete files on the affected servers.
Wordfence's technical analysis reveals that the vulnerability originates in the give_process_donation_form()
function, which is responsible for handling and processing donations.
The function fails to properly validate the 'give_title' post parameter, leading to the injection of serialized data. This serialized data can then be unserialized and exploited through a complex POP chain, ultimately allowing attackers to execute shell commands and potentially upload a web shell to the server.
The vulnerability also presents a secondary risk of arbitrary file deletion. By leveraging the TCPDF library used in the plugin, attackers can manipulate the destructor of the TCPDF class to delete files from the server when the object is destroyed.
StellarWP, the developers of GiveWP, released a patched version, 3.14.2, on August 7, 2024, addressing this critical security issue. Website administrators using the GiveWP plugin are strongly urged to update to this latest version immediately to mitigate the risk of potential attacks.
This incident highlights the ongoing security challenges faced by the WordPress ecosystem. In recent weeks, several other critical vulnerabilities have been discovered in various WordPress plugins, including:
- A maximum-severity flaw (CVE-2024-6500) in the InPost PL and InPost for WooCommerce plugins, allowing unauthenticated file read and deletion.
- A critical vulnerability (CVE-2024-7094) in the JS Help Desk plugin enables remote code execution through PHP code injection.
- An arbitrary file upload flaw (CVE-2024-6220) in the Keydatas plugin potentially leads to code execution on affected servers.
- A file read vulnerability (CVE-2024-6467) in the BookingPress appointment booking plugin allows authenticated attackers to create files and execute code.
- An arbitrary file upload issue (CVE-2024-5441) in the Modern Events Calendar plugin enables code execution for authenticated users.
- A privilege escalation flaw (CVE-2024-6411) in the ProfileGrid plugin allows subscribers to elevate their privileges to the administrator level.
These vulnerabilities underscore the importance of maintaining up-to-date and secure WordPress installations.
Website owners are advised to regularly update their plugins and themes, use reputable security solutions, and avoid using nulled (pirated) plugins or themes, which can often be vectors for malware and other security threats.