A high severity vulnerability has been identified in the WordPress donation and fundraising plugin GiveWP, exposing more than 100,000 websites to remote code execution attacks.
The bug, designated CVE-2024-5932 (CVSS score: 10.0), affects all versions of the plugin prior to version 3.14.2, which was released on August 7, 2024. A security researcher who goes by the online alias villu164 is said to have discovered and reported the issue.
The plugin is “vulnerable to PHP object injection in all versions up to and including 3.14.1 by deserializing untrusted input from the ‘give_title’ parameter,” Wordfence said in a report this week.
“This allows unauthenticated attackers to inject a PHP object. The additional presence of a POP chain allows attackers to remotely execute code and delete arbitrary files.”
The vulnerability is rooted in a function called “give_process_donation_form()”, which is used to validate and sanitize the entered form data before forwarding the donation information, including payment details, to the specified gateway.
Successful exploitation of the vulnerability could allow an authenticated threat actor to execute malicious code on the server, so it is imperative for users to take steps to update their instances to the latest version.
The disclosure comes days after Wordfence also detailed another critical vulnerability in the WordPress plugins InPost PL and InPost for WooCommerce (CVE-2024-6500, CVSS score: 10.0) that allows unauthenticated threat actors to read and delete arbitrary files, including the wp-config.php file.
On Linux systems, only files in the WordPress installation directory can be deleted, but all files can be read. The issue was fixed in version 1.4.5.
Another critical flaw in JS Help Desk, a WordPress plugin with more than 5,000 active installations, was also revealed (CVE-2024-7094, CVSS score: 9.8). It allows remote code execution due to a PHP code injection flaw. A patch for the vulnerability was released in version 2.8.7.
Some of the other security vulnerabilities that have been fixed in various WordPress plugins are listed below –
- CVE-2024-6220 (CVSS Score: 9.8) – An arbitrary file upload flaw in the Keydatas plugin that allows unauthenticated attackers to upload arbitrary files to the affected site’s server, ultimately leading to code execution.
- CVE-2024-6467 (CVSS Score: 8.8) – An arbitrary file read flaw in the BookingPress appointment booking plugin that allows authenticated attackers with subscriber access and above to create arbitrary files and execute arbitrary code or access sensitive information.
- CVE-2024-5441 (CVSS Score: 8.8) – An arbitrary file upload flaw in the Modern Events Calendar plugin that allows authenticated attackers with subscriber access and above to upload arbitrary files to the affected site’s server and execute code
- CVE-2024-6411 (CVSS Score: 8.8) – An escalation flaw in the ProfileGrid – User Profiles, Groups and Communities plugin that allows authenticated attackers with subscriber level access and above to upgrade their user privileges to those of an administrator.
Patching these vulnerabilities is an important line of defense against attacks that exploit these vulnerabilities to install credit card skimming programs capable of capturing financial information entered by site visitors.
Last week, Sucuri shed light on a skimmer campaign that infects PrestaShop e-commerce websites with malicious JavaScript that uses a WebSocket connection to steal credit card data.
The GoDaddy-owned website security company has also warned WordPress site owners against installing invalid plugins and themes as they could serve as a vector for malware and other nefarious activities.
“Ultimately, sticking with legitimate plugins and themes is a fundamental part of responsible website management and security should never be compromised in favor of a shortcut,” Sucuri said.
