The GiveWP plugin, a widely used donation and fundraising tool for WordPress, has recently undergone a crucial update to address a severe security flaw. This GiveWP vulnerability, discovered by the researcher villu164, is a PHP Object Injection issue that could lead to Remote Code Execution (RCE).
This issue, if exploited, allowed unauthorized users to execute arbitrary code and delete files on affected WordPress sites. Given its critical nature, users are strongly advised to update their plugins immediately to ensure their sites are secure.
The GiveWP vulnerability, identified as CVE-2024-5932, affects all versions of the GiveWP plugin up to and including version 3.14.1. The issue lies in the deserialization of untrusted input from the give_title parameter, which enables unauthenticated attackers to inject PHP objects.
The presence of a PHP Object Injection (POP) chain in the plugin further allows these attackers to execute code remotely and delete files from the server.
The GiveWP Vulnerability: PHP Object Injection to Remote Code Execution
According to the Wordfence Bug Bounty Program, the vulnerability is classified as “Critical,” with a CVSS score of 10.0. This score reflects the potential severity of the exploit, as attackers could gain complete control over the affected site. The impact of such an exploit includes unauthorized file deletion and the ability to execute arbitrary PHP code, posing a risk to site security and data integrity.
Villu Orav, known as villu164, reported the GiveWP vulnerability through the Wordfence Bug Bounty Program on May 26, 2024. His discovery earned him a bounty of $4,998.00, acknowledging the critical nature of his findings. The researcher’s report highlighted that the GiveWP plugin was vulnerable to PHP Object Injection through the give_title parameter. This parameter’s deserialization process in versions up to 3.14.1 exposed the plugin to severe security risks.
Upon receiving the report, Wordfence reached out to the StellarWP team—the developers behind GiveWP—on June 13, 2024. When no immediate response was received, the issue was escalated to the WordPress.org Security Team on July 6, 2024. A critical patch was finally released on August 7, 2024, in version 3.14.2 of the GiveWP plugin.
Technical Details of the GiveWP Vulnerability
PHP Object Injection vulnerabilities arise when a PHP application unserializes user-provided data without adequate validation, potentially executing harmful PHP objects. Serialized data, which is used to store complex data structures, can include PHP objects. For example, serialized data might look like a:2:{s:11:”productName”;s:5:”apple”;s:7:”price”;i:10;}, which, if unserialized unsafely, can introduce malicious objects.
PHP objects, created from classes with properties and methods, may contain “magic methods” like __destruct, which execute under certain conditions. An attacker can exploit such vulnerabilities by injecting objects with harmful properties, using methods like __destruct to delete critical files such as wp-config.php.
The vulnerability in the GiveWP plugin involves the give_process_donation_form() function, which handles donation submissions. This function performs validation on the post data but fails to include the give_title parameter in its checks. Consequently, the deserialization of this parameter allows for the injection of malicious PHP objects.
The give_process_donation_form() function processes the donation data and interacts with the give_get_donation_form_user() function, which assigns values to user data based on the give_title parameter. The user data, including serialized values, is then saved and processed further.
The issue is exacerbated by the plugin’s handling of serialized data during payment processing. The _give_donor_title_prefix meta key is used to store serialized data, which is later unserialized in the Give_Payment class. This unserialization process is where the PHP Object Injection vulnerability manifests, allowing attackers to exploit a PHP Object Injection (POP) chain.
