A critical vulnerability in the widely-used GiveWP donation and fundraising plugin for WordPress has put more than 100,000 websites at risk of remote code execution attacks. This flaw, which has earned the highest severity rating of CVE-2024-5932 (CVSS score: 10.0), could allow attackers to execute malicious code remotely, potentially leading to significant security breaches on affected sites.
Uncovering the Flaw
The vulnerability was discovered by a security researcher known as villu164, who reported it, leading to the release of a security update on August 7, 2024. The vulnerability exists in all versions of the GiveWP plugin up to and including 3.14.1, with the issue being patched in the latest version, 3.14.2.
According to Wordfence, a prominent WordPress security company, the flaw stems from a PHP Object Injection vulnerability. The vulnerability is triggered by the deserialization of untrusted input from the ‘give_title’ parameter, which could allow unauthenticated attackers to inject a PHP object into the server. This, coupled with a PHP Object Injection chain (POP chain), enables attackers to execute arbitrary code remotely and delete files on the server.
The Technical Breakdown
At the heart of this vulnerability is a function called “give_process_donation_form().” This function is responsible for validating and sanitizing form data, including sensitive payment information, before it is passed to the designated payment gateway. The flaw, however, opens a loophole that allows the injection of malicious code, which could be used to compromise the server.
If exploited, this vulnerability could grant an attacker full control over the affected website, allowing them to delete files, steal sensitive data, or even launch further attacks from the compromised site. The severity of this vulnerability cannot be overstated, given its potential to cause widespread damage.
Immediate Action Required
Given the critical nature of this vulnerability, it is imperative that all GiveWP users immediately update their plugins to the latest version (3.14.2) to protect their websites from potential exploitation. Failure to do so could leave their sites vulnerable to malicious attacks, with the possibility of significant data breaches or service disruptions.
This disclosure follows closely on the heels of another major security flaw discovered by Wordfence in the InPost PL and InPost for WooCommerce WordPress plugins (CVE-2024-6500, CVSS score: 10.0). Like the GiveWP flaw, this vulnerability also allows unauthenticated attackers to read and delete arbitrary files, including the critical wp-config.php file, which could lead to a complete compromise of the website.
Other Critical WordPress Plugin Vulnerabilities
In addition to the GiveWP and InPost plugin vulnerabilities, another critical issue has been identified in the JS Help Desk WordPress plugin, which has over 5,000 active installations. This flaw (CVE-2024-7094, CVSS score: 9.8) is due to a PHP code injection vulnerability, which could also lead to remote code execution. A patch has been released in version 2.8.7 of the plugin.
Furthermore, several other WordPress plugins have been found to contain serious security flaws:
CVE-2024-6220 (CVSS score: 9.8) – An arbitrary file upload vulnerability in the Keydatas plugin that allows unauthenticated attackers to upload malicious files to the server, leading to code execution.
CVE-2024-6467 (CVSS score: 8.8) – A file read vulnerability in the BookingPress appointment booking plugin, enabling authenticated attackers with Subscriber-level access or higher to create arbitrary files, execute code, or access sensitive information.
CVE-2024-5441 (CVSS score: 8.8) – An arbitrary file upload vulnerability in the Modern Events Calendar plugin, allowing authenticated attackers to upload and execute malicious files on the server.
CVE-2024-6411 (CVSS score: 8.8) – A privilege escalation vulnerability in the ProfileGrid plugin, allowing authenticated users to escalate their privileges to Administrator level.
The Importance of Patching
These vulnerabilities underscore the critical importance of regularly updating WordPress plugins to the latest versions. Cybercriminals are increasingly exploiting such flaws to deliver malware, including credit card skimmers that can harvest sensitive financial information from site visitors.
Just last week, security firm Sucuri revealed a new skimming campaign targeting PrestaShop e-commerce websites. The campaign injects malicious JavaScript into the sites, using a WebSocket connection to steal credit card details.
In light of these threats, Sucuri has also warned WordPress site owners against using nulled (pirated) plugins and themes. These unauthorized copies are often laced with malware, which can serve as a gateway for further attacks.
Conclusion
In today’s digital landscape, security should never be compromised. Website owners must remain vigilant, ensuring that all plugins and themes are legitimate and up-to-date. With attackers continuously seeking new ways to exploit vulnerabilities, timely patching and responsible website management are crucial defenses against the ever-present threat of cyberattacks.
Follow us on 
(Twitter) for real time updates and exclusive content.