GiveWP Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2023-51415 | WordPress Plugin Vulnerability Report

Plugin Name: GiveWP

Key Information:

  • Software Type: Plugin
  • Software Slug: give
  • Software Status: Active
  • Software Author: webdevmattcrom
  • Software Downloads: 6,478,131
  • Active Installs: 100,000
  • Last Updated: January 19, 2024
  • Patched Versions: 3.3.0
  • Affected Versions: <= 3.2.2

Vulnerability Details:

  • Name: GiveWP <= 3.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2023-51415
  • CVSS Score: 6.4 (Medium)
  • Publicly Published: January 19, 2024
  • Researcher: LVT-tholv2k
  • Description: The GiveWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Summary:

The GiveWP plugin for WordPress has an Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability in versions up to and including 3.2.2 that allows authenticated users with contributor access or higher to inject arbitrary web scripts into pages that will execute when users visit those pages. This vulnerability has been patched in version 3.3.0.

Detailed Overview:

GiveWP versions up to and including 3.2.2 contain an input validation and output encoding issue that enables attackers with contributor access or higher privileges to store malicious JavaScript code on pages that will execute whenever a user visits that page. This exploit could enable a range of impacts from session hijacking, site defacements, phishing attempts and more depending on the attacker's goals. The vulnerability has been addressed in GiveWP version 3.3.0 through improved sanitization filters.

Advice for Users:

  1. Immediate Action: Update to GiveWP version 3.3.0 or higher as soon as possible.
  2. Check for Signs of Compromise: Review GiveWP pages and posts for unauthorized code injections or defacements.
  3. Alternate Plugins: Consider alternative donation plugins like WP Donations as a precaution.
  4. Stay Updated: Ensure plugins are kept updated, enable auto-updates where possible.

Conclusion:

This vulnerability showcases the importance of secure coding practices by plugin developers as well as the need for users to keep plugins updated. The quick response by GiveWP to address this issue is encouraging. Users should install version 3.3.0 to ensure their sites are not vulnerable.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/give

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/give/givewp-322-authenticated-contributor-stored-cross-site-scripting

Detailed Report:

Keeping your website secure should be a top priority – but with so many components like themes, plugins and core software, it can be challenging to stay on top of every update. Unfortunately, that also means vulnerabilities can slip through the cracks, leaving your site exposed to threats. If you use the popular WordPress donation plugin GiveWP, a serious vulnerability was recently disclosed that could give attackers control of your site if left unpatched.

GiveWP is installed on over 100,000 WordPress sites to enable donation capabilities. It's a powerful plugin developed by webdevmattcrom with over 6 million downloads. However, analysts recently revealed security flaws that impact GiveWP versions up to and including 3.2.2.

Specifically, the plugin contains an input validation issue that could enable authenticated users with "Contributor" access or higher privileges to inject malicious JavaScript code into pages and posts. This code would then execute for any user that visits those pages, enabling a range of potential attacks. Hackers could steal user sessions, deface sites, conduct phishing attempts, and more depending on their motives.

If you use GiveWP, you should update to version 3.3.0 immediately to patch this serious vulnerability. You should also double check that your site has not already been compromised. Look for unauthorized code injections or page defacements throughout all posts and pages. If you discover any suspicious activity, take your site offline and contact a security professional immediately. You may also want to consider migrating donation functionalities to an alternate plugin such as WP Donations until issues with GiveWP are resolved.

Unfortunately, this type of vulnerability disclosure is nothing new for GiveWP. There have been over 35 other publicly documented vulnerabilities in the plugin since 2015 leaving many sites repeatedly exposed. This underscores the challenges small business owners face trying to stay on top of all software updates across their websites.

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

GiveWP Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2023-51415 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment