A maximum-severity security flaw has been disclosed in the WordPress GiveWP donation and fundraising plugin that exposes more than 100,000 websites to remote code execution attacks.
The flaw, tracked as CVE-2024-5932 (CVSS score: 10.0), impacts all versions of the plugin prior to version 3.14.2, which was released on August 7, 2024. A security researcher, who goes by the online alias villu164, has been credited with discovering and reporting the issue.
The plugin is "vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter," Wordfence said in a report this week.
"This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files."
The vulnerability is rooted in a function named "give_process_donation_form()," which is used to validate and sanitize the entered form data, before passing the donation information, including the payment details, to the specified gateway.
Successful exploitation of the flaw could enable an authenticated threat actor to execute malicious code on the server, making it imperative that users take steps to update their instances to the latest version.
The disclosure comes days after Wordfence also detailed another critical security flaw in the InPost PL and InPost for WooCommerce WordPress plugins (CVE-2024-6500, CVSS score: 10.0) that makes it possible for unauthenticated threat actors to read and delete arbitrary files, including the wp-config.php file.
On Linux systems, only files within the WordPress install directory can be deleted, but all files can be read. The issue has been patched in version 1.4.5.
Another critical shortcoming in JS Help Desk, a WordPress plugin with more than 5,000 active installations, has also been uncovered (CVE-2024-7094, CVSS score: 9.8) as enabling remote code execution due to a PHP code injection flaw. A patch for the vulnerability has been released in version 2.8.7.
Some of the other security flaws resolved in various WordPress plugins are listed below -
- CVE-2024-6220 (CVSS score: 9.8) - An arbitrary file upload flaw in the 简数采集器 (Keydatas) plugin that allows unauthenticated attackers to upload arbitrary files on the affected site's server, ultimately resulting in code execution
- CVE-2024-6467 (CVSS score: 8.8) - An arbitrary file read flaw in the BookingPress appointment booking plugin that allows authenticated attackers, with Subscriber-level access and above, to create arbitrary files and execute arbitrary code or access sensitive information
- CVE-2024-5441 (CVSS score: 8.8) - An arbitrary file upload flaw in the Modern Events Calendar plugin that allows authenticated attackers, with subscriber access and above, to upload arbitrary files on the affected site's server and execute code
- CVE-2024-6411 (CVSS score: 8.8) - A privilege escalation flaw in the ProfileGrid – User Profiles, Groups and Communities plugin that allows authenticated attackers, with Subscriber-level access and above, to update their user capabilities to that of an Administrator
Patching against these vulnerabilities is a crucial line of defense against attacks that exploit them to deliver credit card skimmers that are capable of harvesting financial information entered by site visitors.
Last week, Sucuri shed light on a skimmer campaign that injects PrestaShop e-commerce websites with malicious JavaScript that leverages a WebSocket connection to steal credit card details.
The GoDaddy-owned website security company has also warned WordPress site owners against installing nulled plugins and themes, stating they could act as a vector for malware and other nefarious activities.
"In the end, sticking with legitimate plugins and themes is a fundamental part of responsible website management and security should never be compromised for the sake of a shortcut," Sucuri said.