A critical security vulnerability has been uncovered in the GiveWP donation and fundraising plugin for WordPress, potentially affecting more than 100,000 websites and exposing them to remote code execution attacks.
This flaw, identified as CVE-2024-5932 (CVSS score: 10.0), impacts all versions of the plugin prior to 3.14.2, which was released on August 7, 2024. Security researcher “villu164” is credited with discovering and reporting the vulnerability.
According to a report by Wordfence, the vulnerability arises from a PHP Object Injection issue present in all versions up to 3.14.1 due to the deserialization of untrusted input from the ‘give_title’ parameter.
“This flaw enables unauthenticated attackers to inject a PHP Object. When combined with a POP chain, it can lead to remote code execution and allow attackers to delete arbitrary files,” Wordfence explained.
The issue originates in the “give_process_donation_form()” function, which validates and sanitizes form data before passing the donation and payment details to the selected gateway.
Exploiting this flaw could allow an authenticated attacker to execute malicious code on the server, making it critical for users to update their plugin to the latest version.
This disclosure comes shortly after Wordfence also highlighted another severe flaw in the InPost PL and InPost for WooCommerce WordPress plugins (CVE-2024-6500, CVSS score: 10.0). This flaw allows unauthenticated attackers to read and delete arbitrary files, including the wp-config.php file.
On Linux systems, only files within the WordPress installation directory are vulnerable to deletion, but all files can be read. A fix was issued in version 1.4.5.
Additionally, another significant vulnerability (CVE-2024-7094, CVSS score: 9.8) was discovered in the JS Help Desk plugin, affecting over 5,000 active installations. The issue, caused by PHP code injection, enables remote code execution. A patch for this vulnerability has been rolled out in version 2.8.7.
Other critical security flaws addressed in various WordPress plugins include:
- CVE-2024-6220 (CVSS score: 9.8): An arbitrary file upload vulnerability in the Keydatas plugin, allowing unauthenticated attackers to upload files and execute code.
- CVE-2024-6467 (CVSS score: 8.8): An arbitrary file read flaw in the BookingPress plugin, enabling authenticated users to create and execute arbitrary files or access sensitive data.
- CVE-2024-5441 (CVSS score: 8.8): An arbitrary file upload vulnerability in the Modern Events Calendar plugin, allowing authenticated attackers to upload and execute code.
- CVE-2024-6411 (CVSS score: 8.8): A privilege escalation flaw in the ProfileGrid plugin, enabling authenticated users to escalate their privileges to Administrator.
Timely patching of these vulnerabilities is essential to defend against attacks that exploit these flaws to deploy credit card skimmers and steal sensitive financial information from site visitors.
Last week, Sucuri uncovered a skimming campaign targeting PrestaShop e-commerce websites, where malicious JavaScript is injected to exploit WebSocket connections and steal credit card information.
The GoDaddy-owned website security firm also cautioned WordPress site owners against using nulled plugins and themes, emphasizing that these can serve as gateways for malware and other malicious activities.
“Ultimately, relying on legitimate plugins and themes is a key aspect of responsible website management, and security should never be compromised for convenience,” Sucuri stated.
Source: TheHackerNews
