August 21, 2024Ravie LakshmananWordPress / Cybersecurity

A high-severity security vulnerability has been discovered in the WordPress donation and fundraising plugin GiveWP, exposing over 100,000 websites to remote code execution attacks.

The vulnerability, tracked as CVE-2024-5932 (CVSS score: 10.0), affects all versions of the plugin prior to version 3.14.2, which was released on August 7, 2024. A security researcher known online as villu164 is credited with discovering and reporting the issue.

Wordfence reported this week that the plugin is “vulnerable to PHP Object Injection in all versions up to and including 3.14.1 via deserialization of untrusted input from the ‘give_title’ parameter.”

“This allows unauthenticated attackers to inject a PHP object. The additional presence of a POP chain allows attackers to execute code remotely and delete arbitrary files.”

The vulnerability is rooted in a function named ‘give_process_donation_form()’, which is used to validate and sanitize the input form data before sending the donation data, including payment information, to the specified gateway.

If the flaw is successfully exploited, it could allow an authenticated malicious actor to execute malicious code on the server. In this case, it is critical that users take steps to update their instances to the latest version.

The disclosure comes just days after Wordfence also described another critical vulnerability in the WordPress plugins InPost PL and InPost for WooCommerce (CVE-2024-6500, CVSS score: 10.0). The flaw allows unauthenticated attackers to read and delete arbitrary files, including the wp-config.php file.

On Linux systems, only files in the WordPress installation directory can be deleted, but all files can be read. The issue was patched in version 1.4.5.

Another critical flaw in JS Help Desk, a WordPress plugin with over 5,000 active installations, was also discovered (CVE-2024-7094, CVSS score: 9.8) as allowing remote code execution due to a PHP code injection flaw. A patch for the vulnerability was released in version 2.8.7.

Below are some other vulnerabilities fixed in various WordPress plugins:

• CVE-2024-6220 (CVSS score: 9.8) – An arbitrary file upload error in the 简数采集器 (Keydatas) plugin allows unauthenticated attackers to upload arbitrary files to the affected site’s server, ultimately resulting in code execution

• CVE-2024-6467 (CVSS score: 8.8) – An arbitrary read issue in the BookingPress appointment booking plugin that allows authenticated attackers with subscriber-level access and above to craft arbitrary files and execute arbitrary code or access sensitive information

• CVE-2024-5441 (CVSS score: 8.8) – An arbitrary file upload flaw in the Modern Events Calendar plugin that could allow authenticated attackers with subscription access and above to upload arbitrary files to the affected site’s server and execute code

• CVE-2024-6411 (CVSS score: 8.8) – A privilege escalation flaw in the ProfileGrid – User Profiles, Groups and Communities plugin allows authenticated attackers with subscriber-level access and above to upgrade their user capabilities to that of an administrator

Patching these vulnerabilities provides a critical line of defense against attacks that exploit these vulnerabilities to install credit card skimmers that can collect financial information from site visitors.

Last week, Sucuri exposed a skimmer campaign that injects PrestaShop ecommerce sites with malicious JavaScript code. This code uses a WebSocket connection to steal credit card details.

GoDaddy’s website security company has also warned WordPress site owners about installing invalid plugins and themes, as these can spread malware and other malicious activities.

“Ultimately, sticking to legitimate plugins and themes is a fundamental part of responsible website management. Security should never be compromised for the sake of a shortcut,” Sucuri said.