A maximum-severity safety flaw has been disclosed within the WordPress GiveWP donation and fundraising plugin that exposes greater than 100,000 web sites to distant code execution assaults.
The flaw, tracked as CVE-2024-5932 (CVSS rating: 10.0), impacts all variations of the plugin previous to model 3.14.2, which was launched on August 7, 2024. A safety researcher, who goes by the web alias villu164, has been credited with discovering and reporting the difficulty.
The plugin is “susceptible to PHP Object Injection in all variations as much as, and together with, 3.14.1 through deserialization of untrusted enter from the ‘give_title’ parameter,” Wordfence mentioned in a report this week.
“This makes it doable for unauthenticated attackers to inject a PHP Object. The extra presence of a POP chain permits attackers to execute code remotely, and to delete arbitrary recordsdata.”
The vulnerability is rooted in a operate named “give_process_donation_form(),” which is used to validate and sanitize the entered type information, earlier than passing the donation info, together with the fee particulars, to the required gateway.
Profitable exploitation of the flaw may allow an authenticated risk actor to execute malicious code on the server, making it crucial that customers take steps to replace their cases to the most recent model.
The disclosure comes days after Wordfence additionally detailed one other important safety flaw within the InPost PL and InPost for WooCommerce WordPress plugins (CVE-2024-6500, CVSS rating: 10.0) that makes it doable for unauthenticated risk actors to learn and delete arbitrary recordsdata, together with the wp-config.php file.
On Linux programs, solely recordsdata inside the WordPress set up listing will be deleted, however all recordsdata will be learn. The difficulty has been patched in model 1.4.5.
One other important shortcoming in JS Assist Desk, a WordPress plugin with greater than 5,000 lively installations, has additionally been uncovered (CVE-2024-7094, CVSS rating: 9.8) as enabling distant code execution attributable to a PHP code injection flaw. A patch for the vulnerability has been launched in model 2.8.7.
A number of the different safety flaws resolved in varied WordPress plugins are listed under –
- CVE-2024-6220 (CVSS rating: 9.8) – An arbitrary file add flaw within the 简数采集器 (Keydatas) plugin that permits unauthenticated attackers to add arbitrary recordsdata on the affected website’s server, in the end leading to code execution
- CVE-2024-6467 (CVSS rating: 8.8) – An arbitrary file learn flaw within the BookingPress appointment reserving plugin that permits authenticated attackers, with Subscriber-level entry and above, to create arbitrary recordsdata and execute arbitrary code or entry delicate info
- CVE-2024-5441 (CVSS rating: 8.8) – An arbitrary file add flaw within the Fashionable Occasions Calendar plugin that permits authenticated attackers, with subscriber entry and above, to add arbitrary recordsdata on the affected website’s server and execute code
- CVE-2024-6411 (CVSS rating: 8.8) – A privilege escalation flaw within the ProfileGrid – Person Profiles, Teams and Communities plugin that permits authenticated attackers, with Subscriber-level entry and above, to replace their consumer capabilities to that of an Administrator
Patching towards these vulnerabilities is an important line of protection towards assaults that exploit them to ship bank card skimmers which might be able to harvesting monetary info entered by website guests.
Final week, Sucuri shed gentle on a skimmer marketing campaign that injects PrestaShop e-commerce web sites with malicious JavaScript that leverages a WebSocket connection to steal bank card particulars.
The GoDaddy-owned web site safety firm has additionally warned WordPress website homeowners towards putting in nulled plugins and themes, stating they might act as a vector for malware and different nefarious actions.
“Ultimately, sticking with respectable plugins and themes is a basic a part of accountable web site administration and safety ought to by no means be compromised for the sake of a shortcut,” Sucuri mentioned.