A critical security vulnerability has been discovered in the WordPress GiveWP donation and fundraising plugin, potentially exposing over 100,000 websites to remote code execution (RCE) attacks. The flaw, identified as CVE-2024-5932 with a maximum CVSS score of 10.0, affects all versions of the plugin prior to version 3.14.2, which was released on August 7, 2024. The issue was discovered and reported by security researcher villu164.
According to Wordfence, the vulnerability stems from a PHP Object Injection issue caused by the deserialization of untrusted input from the ‘give_title’ parameter in versions up to and including 3.14.1. This flaw allows unauthenticated attackers to inject a PHP Object, and the presence of a POP chain enables remote code execution and the deletion of arbitrary files.
The vulnerability originates from a function called “give_process_donation_form(),” which is responsible for validating and sanitizing form data before passing donation and payment information to the relevant gateway. Exploiting this flaw could allow an authenticated attacker to execute malicious code on the server, making it crucial for users to update their plugin to the latest version.
This disclosure follows another critical vulnerability identified by Wordfence in the InPost PL and InPost for WooCommerce WordPress plugins (CVE-2024-6500, CVSS score: 10.0), which allows unauthenticated attackers to read and delete arbitrary files, including the wp-config.php file. Although on Linux systems, only files within the WordPress installation directory can be deleted, all files can be read. The issue has been patched in version 1.4.5.
Additionally, another severe vulnerability (CVE-2024-7094, CVSS score: 9.8) has been found in the JS Help Desk WordPress plugin, which has over 5,000 active installations. This flaw, due to a PHP code injection issue, could also enable remote code execution. A patch has been issued in version 2.8.7.
Other recently resolved WordPress plugin vulnerabilities include:
– CVE-2024-6220 (CVSS score: 9.8): An arbitrary file upload flaw in the Keydatas plugin that allows unauthenticated attackers to upload and execute arbitrary files.
– CVE-2024-6467 (CVSS score: 8.8): An arbitrary file read flaw in the BookingPress plugin that allows authenticated users with Subscriber-level access and above to create and execute arbitrary files or access sensitive information.
– CVE-2024-5441 (CVSS score: 8.8): An arbitrary file upload flaw in the Modern Events Calendar plugin that allows authenticated users to upload and execute files.
– CVE-2024-6411 (CVSS score: 8.8): A privilege escalation flaw in the ProfileGrid plugin that allows authenticated users with Subscriber-level access to elevate their privileges to Administrator.
Applying patches for these vulnerabilities is essential to prevent attackers from exploiting them for malicious purposes, such as installing credit card skimmers that steal financial information from site visitors.
In a related note, Sucuri recently uncovered a skimmer campaign targeting PrestaShop e-commerce websites, injecting them with malicious JavaScript that uses WebSocket connections to steal credit card details. The GoDaddy-owned security company has also advised against using nulled plugins and themes, as they can serve as a gateway for malware and other malicious activities.
Sucuri emphasizes that using legitimate plugins and themes is crucial for responsible website management, and security should not be compromised for shortcuts.
