The recent update to the GiveWP plugin, a popular donation and fundraising tool for WordPress, has been prompted by a critical security flaw. Discovered by the researcher villu164, this GiveWP vulnerability involves a PHP Object Injection issue that could potentially lead to Remote Code Execution (RCE). The gravity of this vulnerability is such that unauthorized users could exploit it to execute arbitrary code and delete files on affected WordPress sites. To safeguard the security of their websites, users are strongly advised to promptly update their GiveWP plugins.
Identified as CVE-2024-5932, the GiveWP vulnerability affects all versions of the plugin up to and including version 3.14.1. The vulnerability stems from the deserialization of untrusted input from the give_title parameter, which enables unauthenticated attackers to inject PHP objects. This injection exploit, paired with a PHP Object Injection (POP) chain, empowers attackers to execute code remotely and potentially delete files from the server.
According to the Wordfence Bug Bounty Program, the severity of this vulnerability is classified as “Critical,” with a CVSS score of 10.0. This high score signifies the immense threat posed by potential exploits, as attackers could gain complete control over compromised sites. The repercussions of such an exploit are dire, including unauthorized file deletion and the ability to execute arbitrary PHP code, thereby jeopardizing site security and data integrity.
The researcher behind the discovery, Villu Orav (villu164), reported the GiveWP vulnerability through the Wordfence Bug Bounty Program on May 26, 2024. This critical finding earned him a bounty of $4,998.00, underscoring the significance of his contribution. His report shed light on how the GiveWP plugin’s vulnerability to PHP Object Injection through the give_title parameter exposed the plugin to substantial security risks.
Upon receiving Villu Orav’s report, Wordfence promptly engaged with the StellarWP team—the developers of GiveWP—on June 13, 2024. Following no immediate response, the issue was escalated to the WordPress.org Security Team on July 6, 2024. Finally, a critical patch was released on August 7, 2024, through version 3.14.2 of the GiveWP plugin, mitigating the vulnerability.
PHP Object Injection vulnerabilities arise when a PHP application unserializes user-provided data without appropriate validation, potentially executing harmful PHP objects. Serialized data, used to store complex data structures, can harbor PHP objects that, if unserialized unsafely, can introduce malicious elements. Attackers exploit these vulnerabilities by injecting objects with harmful properties, utilizing methods like __destruct to delete crucial files such as wp-config.php.
In the case of the GiveWP plugin, the vulnerability lies in the give_process_donation_form() function, responsible for handling donation submissions. While this function validates post data, it neglects to include checks for the give_title parameter, leaving room for the deserialization of this parameter and the injection of malicious PHP objects. Further exacerbating the issue is the plugin’s handling of serialized data during payment processing, where the unserialization of data stored in the _give_donor_title_prefix meta key allows for the exploitation of a PHP Object Injection (POP) chain.
In conclusion, the recent security update addressing the GiveWP vulnerability highlights the importance of promptly patching vulnerabilities to safeguard against potential exploitation. Users of the GiveWP plugin are strongly urged to update to version 3.14.2 or later to mitigate the risks associated with the PHP Object Injection issue and uphold the security of their WordPress sites.