Monday, November 18, 2024
HomeCVE/vulnerabilityUnauthenticated RCE in WordPress Plugin Exposes 100,000 WordPress Sites

Unauthenticated RCE in WordPress Plugin Exposes 100,000 WordPress Sites

Published on

A critical vulnerability has been discovered in the GiveWP plugin, a popular WordPress donation and fundraising platform.

This vulnerability, CVE-2024-5932, exposes over 100,000 WordPress sites to potential remote code execution (RCE) attacks.

The vulnerability was responsibly disclosed by a security researcher named villu164 through the Wordfence Bug Bounty Program.

- Advertisement - SIEM as a Service

CVE-2024-5932 – The Vulnerability Explained

PHP Object Injection is vulnerable when user input is deserialized into PHP objects without proper validation or sanitization.

This can allow attackers to inject malicious objects that execute arbitrary code or perform unauthorized actions on the server.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

The GiveWP plugin is vulnerable to PHP Object Injection in all versions, including 3.14.1. The vulnerability is triggered by deserializing untrusted input from the ‘give_title’ parameter.

This allows unauthenticated attackers to inject a PHP object. A Property-Oriented Programming (POP) chain in the plugin enables attackers to execute code remotely and delete arbitrary files.

PHP POP chain
PHP POP chain

Technical Details

The vulnerability resides in the give_process_donation_form() function, which handles and processes donation forms. The function fails to validate the ‘give_title’ post parameter, allowing attackers to inject serialized objects.

This can lead to the execution of arbitrary code and the deletion of critical files, such as wp-config.php, which could reset the site and allow attackers to take control.

php
class Product {
    public $price;
    public $productName;
    public $savedPriceFile;
    function __construct($price, $productName) {
        $this->price = $price;
        $this->productName = $productName;
        $this->savedPriceFile = $productName . "pricefile.log";
    }
    function calculateTotal($quantity) {
        $total = $this->price * $quantity;
        echo $total;
        file_put_contents($this->savedPriceFile, $total);
    }
    function __destruct() {
        unlink($this->savedPriceFile);
    }
}

In the example above, an attacker could exploit the vulnerability to delete the wp-config.php file using a payload like:

O:7:”Product”:3:{s:5:”price”;i:2;s:11:”productName”;s:6:”apples”;s:14:”savedPriceFile”;s:13:”wp-config.php”;}

The POP Chain for Remote Code Execution

The vulnerability leverages a complex POP chain that includes the GiveInsertPaymentData class and the Give\Vendors\Faker\ValidGenerator class.

This chain allows attackers to execute the shell_exec() function, effectively enabling them to run arbitrary commands on the server.

CVE Details

  • CVE ID: CVE-2024-5932
  • CVSS Score: 10.0 (Critical)
  • Affected Versions: <= 3.14.1
  • Fully Patched Version: 3.14.2

The Response and Mitigation

The vulnerability was reported to the StellarWP team on June 13, 2024. After a lack of response, the issue was escalated to the WordPress.org Security Team on July 6, 2024. A patch was released on August 7, 2024, in version 3.14.2 of the GiveWP plugin.

All users of the GiveWP plugin are strongly urged to update to the latest version, 3.14.2, to protect their sites from potential exploitation.

Regular updates and security audits are recommended to maintain the security of WordPress sites.

The discovery of this vulnerability highlights the importance of rigorous security practices and the role of responsible disclosure in maintaining the safety of the WordPress ecosystem.

As the web continues to evolve, so too must the measures we take to protect it. Users are encouraged to remain vigilant and proactive in securing their digital assets.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...