CVE-2023-47183: Missing Authorization vulnerability in GiveWP allows Exploiting Incorrectly Configured Access Control Security Levels

A recent vulnerability, identified as CVE-2023-47183, has been discovered that affects GiveWP, a popular WordPress plugin used by millions of websites worldwide for fundraising and donation management. The vulnerability stems from a missing authorization check in the plugin and may lead to unauthorized users exploiting the incorrectly configured access control security levels. This could enable bad actors to compromise websites utilizing GiveWP versions up to 2.33.1.

Exploit Details

The vulnerability lies in the improper access control configuration of GiveWP, allowing unauthorized users to elevate their privileges, perform unauthorized actions, and subsequently gain control of a WordPress site. The lack of proper authorization check could result in the exposure of sensitive user data or unauthorized manipulation of donation-related data on the affected site.

Code Snippet

The following code snippet, sourced in part from the GiveWP codebase, exhibits the missing authorization check:

function give_process_admin_actions() {
	if (isset($_GET['give-action']) && isset($_GET['_wpnonce'])) {
		$action = sanitize_key($_GET['give-action']);
		$nonce  = $_REQUEST['_wpnonce'];

		switch ($action) {
			case 'my_custom_action':
				// Perform action
				break;

			default:
				do_action('give_admin_action_' . $action);
				break;
		}
	}
}
add_action('admin_init', 'give_process_admin_actions');

In the said code snippet, the issue arises from the lack of a permission check after validating the _wpnonce value and before executing the custom action.

Mitigation

The GiveWP team has addressed this issue in version 2.33.2, where they've implemented stringent authorization checks, ensuring that only users with the required privilege level can access and perform specific actions. Users utilizing GiveWP in their WordPress installations are urged to update to version 2.33.2 or the latest version available.

Here’s the official reference from GiveWP regarding the issue and its resolution

GiveWP – Security Release – 2.33.2

Modified code snippet (with permission check):

function give_process_admin_actions() {
	if (isset($_GET['give-action']) && isset($_GET['_wpnonce'])) {
		$action = sanitize_key($_GET['give-action']);
		$nonce  = $_REQUEST['_wpnonce'];

		// Check user permissions
		if (!current_user_can('manage_options')) {
			wp_die(__('You do not have permissions to perform this action.', 'give'));
		}

		switch ($action) {
			case 'my_custom_action':
				// Perform action
				break;

			default:
				do_action('give_admin_action_' . $action);
				break;
		}
	}
}
add_action('admin_init', 'give_process_admin_actions');

Conclusion

The discovery of the CVE-2023-47183 vulnerability highlights the importance of auditing and maintaining proper access control in WordPress plugins and applications. As a site administrator, it is essential to keep plugins up-to-date and be aware of potential vulnerabilities, as these can have serious implications for site security and user data. In this case, updating GiveWP to version 2.33.2 or the latest available version addresses the vulnerability and ensures secure operations.

Timeline

Published on: 01/02/2025 12:15:14 UTC