A critical vulnerability, identified as CVE-2024-5932, has been discovered in the GiveWP plugin—a widely-used WordPress donation and fundraising platform. This flaw exposes over 100,000 WordPress sites to potential remote code execution (RCE) attacks, posing a severe security risk.
Vulnerability Overview:
- Vulnerability Type: PHP Object Injection
- Affected Plugin: GiveWP
- Versions Impacted: All versions up to and including 3.14.1
- CVE ID: CVE-2024-5932
- CVSS Score: 10.0 (Critical)
- Fully Patched Version: 3.14.2
Technical Details:
The vulnerability is rooted in the give_process_donation_form() function, which is responsible for handling donation form data. Specifically, the flaw arises from the improper validation and sanitization of the give_title parameter, leading to a PHP Object Injection. When this untrusted input is deserialized into PHP objects, it enables attackers to inject malicious objects.
A critical aspect of the vulnerability is its exploitation through a Property-Oriented Programming (POP) chain within the GiveWP plugin. This chain involves classes like GiveInsertPaymentData and Give\Vendors\Faker\ValidGenerator, culminating in the execution of the shell_exec() function. This allows attackers to execute arbitrary commands on the server, potentially resulting in complete site takeover or data destruction, including the deletion of critical files like wp-config.php.
Example Exploit Payload:
O:7:”Product”:3:{s:5:”price”;i:2;s:11:”productName”;s:6:”apples”;s:14:”savedPriceFile”;s:13:”wp-config.php”;}
This payload demonstrates how an attacker could manipulate the plugin to delete the wp-config.php file, crippling the WordPress site.
Mitigation:
- Patch Release: A security patch was released on August 7, 2024, in version 3.14.2 of the GiveWP plugin.
- Action Required: All users of the GiveWP plugin should immediately update to version 3.14.2 to mitigate this critical vulnerability.
- Best Practices: Regularly update all WordPress plugins, conduct security audits, and employ additional security measures like Web Application Firewalls (WAF) to protect against such threats.
Timeline of Events:
- June 13, 2024: Vulnerability reported to the StellarWP team.
- July 6, 2024: Escalation to the WordPress.org Security Team due to a lack of response.
- August 7, 2024: Patch released in version 3.14.2.
The discovery of CVE-2024-5932 underscores the ongoing need for vigilant security practices within the WordPress ecosystem. Administrators are urged to prioritize plugin updates and consider proactive security measures to defend against emerging threats.
For further information and updates, users should regularly check security advisories and ensure all systems are kept up-to-date.
