A severe security flaw has been discovered in GiveWP, a popular WordPress donation plugin with over 100,000 active installations.
The vulnerability, classified as an unauthenticated PHP Object Injection leading to Remote Code Execution (RCE), was responsibly reported through the Wordfence Bug Bounty Program on May 26th, 2024.
The critical vulnerability, assigned CVE-2024-5932 with a CVSS score of 10.0, affects all versions of GiveWP up to and including 3.14.1. It allows unauthenticated attackers to inject malicious PHP objects through the ‘give_title’ parameter, potentially leading to remote code execution and arbitrary file deletion.
Security researcher villu164 discovered the flaw and earned a substantial bounty of $4,998.00 for the finding. The Wordfence team promptly validated the report and attempted to contact the StellarWP team, the plugin’s developers, on June 13th, 2024. After receiving no response, they escalated the issue to the WordPress.org Security Team on July 6th, 2024.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
WordPress Plugin RCE Vulnerability
The vulnerability stems from improper input sanitization in the donation form processing function. Attackers can exploit this flaw to inject serialized PHP objects, which are then unserialized during payment processing. A PHP POP chain present in the plugin allows for the execution of arbitrary code and file deletion.
StellarWP released a patched version (3.14.2) addressing the vulnerability on August 7th, 2024. WordPress site administrators are strongly urged to update their GiveWP plugin to this latest version immediately.
The severity of this vulnerability cannot be overstated, given its potential for unauthorized remote code execution on affected sites. WordPress site owners should:
- Immediately update GiveWP to version 3.14.2 or later
- Conduct a thorough security audit of their websites
- Consider implementing additional security measures, such as Web Application Firewalls
Given the critical nature of the vulnerability and its potential for remote code execution, it’s likely that malicious actors may attempt to exploit it soon if they haven’t already. The disclosure recommends that WordPress site administrators urgently update to the patched version 3.14.2 to mitigate the risk.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces