A severe security flaw has been uncovered in the WordPress GiveWP donation and fundraising plugin, potentially exposing over 100,000 websites to remote code execution attacks. Identified as CVE-2024-5932 with a CVSS score of 10.0, the vulnerability affects all plugin versions prior to 3.14.2, released on August 7, 2024. The flaw was discovered by security researcher villu164.
According to Wordfence, the vulnerability stems from a PHP Object Injection issue, caused by the deserialization of untrusted input from the ‘give_title’ parameter. This flaw allows unauthenticated attackers to inject a PHP Object, which, combined with a POP chain, enables remote code execution and arbitrary file deletion.
The problem lies in the “give_process_donation_form()” function, responsible for validating and sanitizing donation form data before passing it to the payment gateway. Exploiting this vulnerability could allow an attacker to execute malicious code on the server, highlighting the urgent need for users to update to the latest plugin version.
This disclosure follows the revelation of another critical vulnerability in the InPost PL and InPost for WooCommerce WordPress plugins (CVE-2024-6500, CVSS score: 10.0), which could allow unauthenticated attackers to read and delete arbitrary files, including the wp-config.php file. The issue has been patched in version 1.4.5.
Additionally, a critical flaw in the JS Help Desk WordPress plugin (CVE-2024-7094, CVSS score: 9.8) was found to allow remote code execution due to a PHP code injection vulnerability. This issue has been resolved in version 2.8.7.
CVE-2024-5932 (CVSS 10): Critical RCE Vulnerability Impacts 100k+ WordPress Sites
Protect your #WordPress site from #RCE and unauthorized file deletion. Learn about the critical security flaw in the #GiveWP plugin (CVE-2024-5932)https://t.co/87tWSCrxw8
— Gray Hats (@the_yellow_fall) August 20, 2024
Other recently patched WordPress plugin vulnerabilities include:
- CVE-2024-6220 (CVSS score: 9.8) – Arbitrary file upload flaw in the Keydatas plugin, allowing unauthenticated attackers to execute code on the server.
- CVE-2024-6467 (CVSS score: 8.8) – Arbitrary file read flaw in the BookingPress appointment booking plugin, allowing authenticated attackers to access sensitive information.
- CVE-2024-5441 (CVSS score: 8.8) – Arbitrary file upload flaw in the Modern Events Calendar plugin, enabling authenticated attackers to execute code on the server.
- CVE-2024-6411 (CVSS score: 8.8) – Privilege escalation flaw in the ProfileGrid plugin, allowing authenticated users to elevate their permissions to Administrator.
Patching these vulnerabilities is essential to protect against attacks that exploit them, potentially leading to the installation of credit card skimmers and other malicious activities.
In light of recent events, Sucuri has cautioned WordPress site owners against using nulled plugins and themes, which can serve as vectors for malware. The company emphasizes that using legitimate plugins and themes is crucial for maintaining website security.
Sandhya Goswami
Sandhya is a contributing author at Cloudways, specializing in content promotion and performance analysis. With a strong analytical approach and a keen ability to leverage data-driven insights, Sandhya excels in measuring the success of organic marketing initiatives.
