Unauthenticated RCE in WordPress Plugin Exposes 100,000 WordPress Sites

A critical vulnerability has been discovered in the GiveWP plugin, a popular WordPress donation and fundraising platform.

This vulnerability, CVE-2024-5932, exposes over 100,000 WordPress sites to potential remote code execution (RCE) attacks.

The vulnerability was responsibly disclosed by a security researcher named villu164 through the Wordfence Bug Bounty Program.

CVE-2024-5932 – The Vulnerability Explained

PHP Object Injection is vulnerable when user input is deserialized into PHP objects without proper validation or sanitization.

This can allow attackers to inject malicious objects that execute arbitrary code or perform unauthorized actions on the server.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

The GiveWP plugin is vulnerable to PHP Object Injection in all versions, including 3.14.1. The vulnerability is triggered by deserializing untrusted input from the ‘give_title’ parameter.

This allows unauthenticated attackers to inject a PHP object. A Property-Oriented Programming (POP) chain in the plugin enables attackers to execute code remotely and delete arbitrary files.

Technical Details

The vulnerability resides in the give_process_donation_form() function, which handles and processes donation forms. The function fails to validate the ‘give_title’ post parameter, allowing attackers to inject serialized objects.

This can lead to the execution of arbitrary code and the deletion of critical files, such as wp-config.php, which could reset the site and allow attackers to take control.

php
class Product {
    public $price;
    public $productName;
    public $savedPriceFile;
    function __construct($price, $productName) {
        $this->price = $price;
        $this->productName = $productName;
        $this->savedPriceFile = $productName . "pricefile.log";
    }
    function calculateTotal($quantity) {
        $total = $this->price * $quantity;
        echo $total;
        file_put_contents($this->savedPriceFile, $total);
    }
    function __destruct() {
        unlink($this->savedPriceFile);
    }
}

In the example above, an attacker could exploit the vulnerability to delete the wp-config.php file using a payload like:

O:7:”Product”:3:{s:5:”price”;i:2;s:11:”productName”;s:6:”apples”;s:14:”savedPriceFile”;s:13:”wp-config.php”;}

The POP Chain for Remote Code Execution

The vulnerability leverages a complex POP chain that includes the GiveInsertPaymentData class and the Give\Vendors\Faker\ValidGenerator class.

This chain allows attackers to execute the shell_exec() function, effectively enabling them to run arbitrary commands on the server.

CVE Details

• CVE ID: CVE-2024-5932
• CVSS Score: 10.0 (Critical)
• Affected Versions: <= 3.14.1
• Fully Patched Version: 3.14.2

The Response and Mitigation

The vulnerability was reported to the StellarWP team on June 13, 2024. After a lack of response, the issue was escalated to the WordPress.org Security Team on July 6, 2024. A patch was released on August 7, 2024, in version 3.14.2 of the GiveWP plugin.

All users of the GiveWP plugin are strongly urged to update to the latest version, 3.14.2, to protect their sites from potential exploitation.

Regular updates and security audits are recommended to maintain the security of WordPress sites.

The discovery of this vulnerability highlights the importance of rigorous security practices and the role of responsible disclosure in maintaining the safety of the WordPress ecosystem.

As the web continues to evolve, so too must the measures we take to protect it. Users are encouraged to remain vigilant and proactive in securing their digital assets.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access