A critical vulnerability affecting over 100,000 WordPress sites has been identified in the GiveWP plugin, a popular donation and fundraising platform.
The flaw, which enables unauthenticated remote code execution, was discovered and responsibly reported by security researcher villu164 through the Wordfence Bug Bounty Program, and a $4,998 reward was approved for the contribution. The issue, classified as a PHP Object Injection vulnerability, was assigned a CVSS score of 10.0, marking it a maximum severity flaw, reflecting a very high risk for in-the-wild exploitation.
GiveWP is a widely used plugin designed to facilitate online donations, offering features like customizable forms, donor management, and integration with various payment gateways. Its extensive use across nonprofit organizations, educational institutions, and other entities relying on donations makes this vulnerability particularly concerning.
Technical details
The vulnerability, first submitted to Wordfence on May 26, 2024, exploits the give_title parameter within the GiveWP plugin, versions 3.14.1 and earlier. This parameter is inadequately validated, allowing attackers to inject a serialized PHP object into the system. During the donation process, the give_title input is passed through a series of functions without proper sanitization, leading to the deserialization of untrusted data.
This deserialized object can interact with a pre-existing POP (Property Oriented Programming) chain within the plugin’s codebase. The POP chain enables the injected object to invoke methods that can be exploited for remote code execution. Specifically, it can trigger the __destruct magic method to delete arbitrary files or execute arbitrary commands on the server.
For instance, an attacker could craft a payload that causes the deletion of critical files like wp-config.php or uploads a malicious web shell, thus gaining control over the vulnerable site. This flaw, if unpatched, poses a significant risk to the integrity and security of any WordPress site using the affected versions of the plugin.
Fix available
Despite the severity of the vulnerability, initial attempts by Wordfence to alert the developers of GiveWP, operated by StellarWP, went unanswered. Wordfence escalated the issue to the WordPress.org Security Team on July 6, 2024, leading to the release of a patch in version 3.14.2 of the plugin on August 7, 2024. The patch effectively neutralizes the vulnerability, safeguarding users from potential exploitation, though the period of exposure to risks was substantial.
To defend against potential attacks, WordPress site administrators using GiveWP are urged to update to version 3.14.2 immediately. If updating is impossible, the plugin should be disabled or uninstalled to remove the attack surface from the website.
Lazarus Group Exploited Windows Zero-Day Vulnerability Since June
Leave a Reply