23.9 C
New York
Thursday, September 5, 2024

Unauthenticated RCE in WordPress Plugin Exposes 100,000 Websites


A important vulnerability has been found within the GiveWP plugin, a preferred WordPress donation and fundraising platform.

This vulnerability, CVE-2024-5932, exposes over 100,000 WordPress websites to potential distant code execution (RCE) assaults.

The vulnerability was responsibly disclosed by a safety researcher named villu164 by the Wordfence Bug Bounty Program.

CVE-2024-5932 – The Vulnerability Defined

PHP Object Injection is weak when person enter is deserialized into PHP objects with out correct validation or sanitization.

This will enable attackers to inject malicious objects that execute arbitrary code or carry out unauthorized actions on the server.

Free Webinar on Detecting & Blocking Provide Chain Assault -> Guide your Spot

The GiveWP plugin is weak to PHP Object Injection in all variations, together with 3.14.1. The vulnerability is triggered by deserializing untrusted enter from the ‘give_title’ parameter.

This enables unauthenticated attackers to inject a PHP object. A Property-Oriented Programming (POP) chain within the plugin allows attackers to execute code remotely and delete arbitrary recordsdata.

PHP POP chain
PHP POP chain

Technical Particulars

The vulnerability resides within the give_process_donation_form() perform, which handles and processes donation types. The perform fails to validate the ‘give_title’ publish parameter, permitting attackers to inject serialized objects.

This will result in the execution of arbitrary code and the deletion of important recordsdata, resembling wp-config.php, which may reset the location and permit attackers to take management.

php
class Product {
    public $value;
    public $productName;
    public $savedPriceFile;
    perform __construct($value, $productName) {
        $this->value = $value;
        $this->productName = $productName;
        $this->savedPriceFile = $productName . "pricefile.log";
    }
    perform calculateTotal($amount) {
        $complete = $this->value * $amount;
        echo $complete;
        file_put_contents($this->savedPriceFile, $complete);
    }
    perform __destruct() {
        unlink($this->savedPriceFile);
    }
}

Within the instance above, an attacker may exploit the vulnerability to delete the wp-config.php file utilizing a payload like:

O:7:”Product”:3:{s:5:”value”;i:2;s:11:”productName”;s:6:”apples”;s:14:”savedPriceFile”;s:13:”wp-config.php”;}

The POP Chain for Distant Code Execution

The vulnerability leverages a fancy POP chain that features the GiveInsertPaymentData class and the GiveVendorsFakerValidGenerator class.

This chain permits attackers to execute the shell_exec() perform, successfully enabling them to run arbitrary instructions on the server.

CVE Particulars

  • CVE ID: CVE-2024-5932
  • CVSS Rating: 10.0 (Crucial)
  • Affected Variations: <= 3.14.1
  • Totally Patched Model: 3.14.2

The Response and Mitigation

The vulnerability was reported to the StellarWP crew on June 13, 2024. After an absence of response, the difficulty was escalated to the WordPress.org Safety Group on July 6, 2024. A patch was launched on August 7, 2024, in model 3.14.2 of the GiveWP plugin.

All customers of the GiveWP plugin are strongly urged to replace to the most recent model, 3.14.2, to guard their websites from potential exploitation.

Common updates and safety audits are really helpful to take care of the safety of WordPress websites.

The invention of this vulnerability highlights the significance of rigorous safety practices and the function of accountable disclosure in sustaining the security of the WordPress ecosystem.

As the online continues to evolve, so too should the measures we take to guard it. Customers are inspired to stay vigilant and proactive in securing their digital belongings.

Are you from SOC and DFIR Groups? Analyse Malware Incidents & get stay Entry with ANY.RUN -> Get 14 Days Free Entry

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles