A maximum-severity safety flaw has been disclosed within the WordPress GiveWP donation and fundraising plugin that exposes greater than 100,000 web sites to distant code execution assaults.
The flaw, tracked as CVE-2024-5932 (CVSS rating: 10.0), impacts all variations of the plugin previous to model 3.14.2, which was launched on August 7, 2024. A safety researcher, who goes by the net alias villu164, has been credited with discovering and reporting the problem.
The plugin is “vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the ‘give_title’ parameter,” Wordfence stated in a report this week.
“This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files.”
The vulnerability is rooted in a operate named “give_process_donation_form(),” which is used to validate and sanitize the entered kind information, earlier than passing the donation info, together with the fee particulars, to the required gateway.
Profitable exploitation of the flaw may allow an authenticated menace actor to execute malicious code on the server, making it crucial that customers take steps to replace their situations to the most recent model.
The disclosure comes days after Wordfence additionally detailed one other essential safety flaw within the InPost PL and InPost for WooCommerce WordPress plugins (CVE-2024-6500, CVSS rating: 10.0) that makes it potential for unauthenticated menace actors to learn and delete arbitrary information, together with the wp-config.php file.
On Linux techniques, solely information inside the WordPress set up listing may be deleted, however all information may be learn. The difficulty has been patched in model 1.4.5.
One other essential shortcoming in JS Assist Desk, a WordPress plugin with greater than 5,000 energetic installations, has additionally been uncovered (CVE-2024-7094, CVSS rating: 9.8) as enabling distant code execution on account of a PHP code injection flaw. A patch for the vulnerability has been launched in model 2.8.7.
Among the different safety flaws resolved in varied WordPress plugins are listed under –
- CVE-2024-6220 (CVSS rating: 9.8) – An arbitrary file add flaw within the 简数采集器 (Keydatas) plugin that permits unauthenticated attackers to add arbitrary information on the affected website’s server, finally leading to code execution
- CVE-2024-6467 (CVSS rating: 8.8) – An arbitrary file learn flaw within the BookingPress appointment reserving plugin that permits authenticated attackers, with Subscriber-level entry and above, to create arbitrary information and execute arbitrary code or entry delicate info
- CVE-2024-5441 (CVSS rating: 8.8) – An arbitrary file add flaw within the Trendy Occasions Calendar plugin that permits authenticated attackers, with subscriber entry and above, to add arbitrary information on the affected website’s server and execute code
- CVE-2024-6411 (CVSS rating: 8.8) – A privilege escalation flaw within the ProfileGrid – Consumer Profiles, Teams and Communities plugin that permits authenticated attackers, with Subscriber-level entry and above, to replace their consumer capabilities to that of an Administrator
Patching towards these vulnerabilities is an important line of protection towards assaults that exploit them to ship bank card skimmers which might be able to harvesting monetary info entered by website guests.
Final week, Sucuri shed gentle on a skimmer marketing campaign that injects PrestaShop e-commerce web sites with malicious JavaScript that leverages a WebSocket connection to steal bank card particulars.
The GoDaddy-owned web site safety firm has additionally warned WordPress website house owners towards putting in nulled plugins and themes, stating they might act as a vector for malware and different nefarious actions.
“In the end, sticking with legitimate plugins and themes is a fundamental part of responsible website management and security should never be compromised for the sake of a shortcut,” Sucuri stated.
