Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Flaw in Donation Plugin Exposed 100,000 WordPress Sites to Takeover

A critical vulnerability in the GiveWP WordPress plugin could be exploited for remote code execution and arbitrary file deletion.

A critical vulnerability in the GiveWP WordPress plugin exposed over 100,000 websites to remote code execution and arbitrary file deletion attacks, WordPress security firm Defiant reports.

Tracked as CVE-2024-5932 (CVSS score of 10/10), the bug is described as a PHP object injection via the deserialization of untrusted input from the ‘give_title’ parameter.

Unauthenticated attackers, Defiant explains, could trigger the security defect to inject a PHP object and then exploit a POP (Property Oriented Programming) chain to execute arbitrary code remotely or delete arbitrary files.

PHP uses serialization for storing complex data, and serialized data can be used to store PHP objects. Attackers can inject payloads that, when a plugin deserializes user-supplied data without sanitization, become PHP objects, but these are not dangerous unless magic methods are used.

These magic methods are special functions that define behavior during certain operations, and crafted PHP objects could be used to leverage these functions to perform nefarious actions that could potentially lead to site takeover.

This was the case with the highly popular GiveWP donation and fundraising plugin, which has over 100,000 active installations.

The plugin provides users with a broad range of capabilities, including customizable donation forms and donor and reports management.

The function that handles and processes donations also validates the post data and checks whether it contains serialized values, but does not include the give_title post parameter.

Advertisement. Scroll to continue reading.

Once the validation process has been completed, additional functions are called to process and store the supplied information, including functions that collect user information, such as the user title, which is based on the give_title post parameter.

Additional functions are then called to process the payment and user information, and the serialized value of the user title, which is written to the database as a key value, is deserialized by one of them.

Because the attacker can control the properties of the deserialized object, they can chain code together to execute arbitrary code on the server, or delete arbitrary files.

Depending on the deleted files, the attacker could trigger a site reset, potentially taking it over, if they connect it to a remote database under their control.

The vulnerability impacts GiveWP version 3.14.1 and prior and was addressed with the release of version 3.14.2 two weeks ago. Users are advised to update to a patched version of the plugin as soon as possible. 

Tens of thousands of websites may remain unpatched against this vulnerability, although the plugin has amassed over 60,000 downloads over the past week, WordPress.org statistics show. 

Related: Several Plugins Compromised in WordPress Supply Chain Attack

Related: Critical WordPress Plugin Flaws Exploited to Inject Malicious Scripts and Backdoors

Related: Hundreds of Thousands of eCommerce Sites Impacted by Critical Plugin Vulnerability

Related: Critical Flaw in Sitecore Experience Platform Exploited in Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jared Bartel has been named CISO at Idaho State University.

Automated phishing protection and scam prevention company Bolster has appointed Rod Schultz as CEO.

Bugcrowd has appointed Trey Ford as CISO for the Americas.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.