CVE-2024-9634 is a critical vulnerability in the GiveWP WordPress plugin, which is actively used on over 100,000 websites for managing online donations. This PHP Object Injection flaw allows remote, unauthenticated attackers to execute arbitrary code, giving them the potential to take complete control of a site and access sensitive donor information. Due to the simplicity of exploitation and high impact, this vulnerability is rated as critical with a CVSS score of 9.8.
Vulnerability ID: CVE-2024-9634
Severity: Critical (CVSS 9.8)
Affected Software: GiveWP Plugin for WordPress
Patched Version: 3.16.4
Date of Discovery: October 15, 2024
Researcher: “lefab”
Technical Details
The vulnerability arises from improper handling of user input within the give_company_name parameter, leading to a PHP Object Injection (POI) issue. Attackers can exploit this by injecting serialized PHP objects into the parameter. Upon deserialization, this object leverages a pre-existing Property-Oriented Programming (POP) chain within the code to execute arbitrary commands.
Key Aspects of Exploitation:
- Vector: Network
- Privileges Required: None (Unauthenticated exploit)
- Complexity: Low
The attacker crafts a serialized object payload and transmits it through an HTTP request. If successfully deserialized, the payload chains functions in the PHP environment to execute commands on the server, resulting in remote code execution (RCE) with administrative privileges.
Impact Analysis
If CVE-2024-9634 is successfully exploited, the attacker gains complete control over the affected WordPress site. The potential impacts include:
- Remote Code Execution (RCE): Full administrative access to the website, enabling unauthorized modifications.
- Data Breach: Exposure of sensitive donor information, including payment data.
- Website Integrity Compromise: Potential for attackers to delete or modify files, inject malicious code, and disrupt website functionality.
Given the plugin’s popularity and its role in managing donor transactions, the impact is particularly concerning for nonprofit organizations and other entities relying on GiveWP.
Mitigation Recommendations
Immediate Actions:
- Patch Installation: All users of the GiveWP plugin should update to version 3.16.4 immediately, which includes the patch to address CVE-2024-9634.
- Input Sanitization: Regularly inspect plugins for proper sanitization of all user input fields.
Additional Security Measures:
- Enhanced Monitoring: Monitor logs for suspicious deserialization attempts, particularly any unexpected inputs to give_company_name.
- Access Restriction: Limit user privileges to essential personnel and enable multi-factor authentication (MFA) to mitigate the risk of unauthorized access.
Long-term Hardening:
- Web Application Firewall (WAF): Implement a WAF to detect and block malicious payloads, especially those typical of POI exploits.
- Intrusion Detection System (IDS): Enable IDS/IPS systems to detect unexpected activity, including unauthorized file modifications and unusual PHP execution patterns.
Proof of Concept (PoC)
A proof of concept for this vulnerability involves crafting a serialized PHP object targeting the give_company_name parameter. When deserialized, the payload utilizes specific PHP functions in a POP chain to initiate command execution on the server. Full details and PoC have been restricted to prevent active exploitation.
Immediate Action Required: Patch all installations of GiveWP to version 3.16.4 or newer and ensure additional security layers are in place to prevent exploitation of similar vulnerabilities.
