A critical vulnerability in the GiveWP WordPress plugin exposed over 100,000 websites to remote code execution and arbitrary file deletion attacks, WordPress security firm Defiant reports.
Tracked as CVE-2024-5932 (CVSS score of 10/10), the bug is described as a PHP object injection via the deserialization of untrusted input from the ‘give_title’ parameter.
Unauthenticated attackers, Defiant explains, could trigger the security defect to inject a PHP object and then exploit a POP (Property Oriented Programming) chain to execute arbitrary code remotely or delete arbitrary files.
PHP uses serialization for storing complex data, and serialized data can be used to store PHP objects. Attackers can inject payloads that, when a plugin deserializes user-supplied data without sanitization, become PHP objects, but these are not dangerous unless magic methods are used.
These magic methods are special functions that define behavior during certain operations, and crafted PHP objects could be used to leverage these functions to perform nefarious actions that could potentially lead to site takeover.
This was the case with the highly popular GiveWP donation and fundraising plugin, which has over 100,000 active installations.
The plugin provides users with a broad range of capabilities, including customizable donation forms and donor and reports management.
The function that handles and processes donations also validates the post data and checks whether it contains serialized values, but does not include the give_title post parameter.
Once the validation process has been completed, additional functions are called to process and store the supplied information, including functions that collect user information, such as the user title, which is based on the give_title post parameter.
Additional functions are then called to process the payment and user information, and the serialized value of the user title, which is written to the database as a key value, is deserialized by one of them.
Because the attacker can control the properties of the deserialized object, they can chain code together to execute arbitrary code on the server, or delete arbitrary files.
Depending on the deleted files, the attacker could trigger a site reset, potentially taking it over, if they connect it to a remote database under their control.
The vulnerability impacts GiveWP version 3.14.1 and prior and was addressed with the release of version 3.14.2 two weeks ago. Users are advised to update to a patched version of the plugin as soon as possible.
Tens of thousands of websites may remain unpatched against this vulnerability, although the plugin has amassed over 60,000 downloads over the past week, WordPress.org statistics show.
Related: Several Plugins Compromised in WordPress Supply Chain Attack
Related: Critical WordPress Plugin Flaws Exploited to Inject Malicious Scripts and Backdoors
Related: Hundreds of Thousands of eCommerce Sites Impacted by Critical Plugin Vulnerability
Related: Critical Flaw in Sitecore Experience Platform Exploited in Attacks