GiveWP Vulnerability  – Donation Plugin and Fundraising Platform – Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode – CVE-2024-1957 | WordPress Plugin Vulnerability Report

Plugin Name: GiveWP – Donation Plugin and Fundraising Platform

Key Information:

  • Software Type: Plugin
  • Software Slug: give
  • Software Status: Active
  • Software Author: webdevmattcrom
  • Software Downloads: 7,093,144
  • Active Installs: 100,000
  • Last Updated: April 25, 2024
  • Patched Versions: 3.7.0
  • Affected Versions: <= 3.6.1

Vulnerability Details:

  • Name: GiveWP – Donation Plugin and Fundraising Platform <= 3.6.1
  • Title: Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-1957
  • CVSS Score: 6.4
  • Publicly Published: April 12, 2024
  • Researcher: Ngô Thiên An (ancorn_) - VNPT-VCI
  • Description: The GiveWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'give_form' shortcode. This flaw stems from insufficient input sanitization and output escaping on user-supplied attributes, allowing authenticated attackers with contributor-level or higher permissions to inject arbitrary web scripts. These scripts can execute whenever a user accesses an injected page, potentially compromising user data or manipulating page content.

Summary:

The GiveWP plugin for WordPress has disclosed a vulnerability in versions up to and including 3.6.1 that permits authenticated users with contributor-level or higher permissions to exploit stored cross-site scripting (XSS) vulnerabilities through its shortcode functionality. This critical issue has been addressed in the latest patch, version 3.7.0.

Detailed Overview:

This vulnerability, identified by researcher Ngô Thiên An from VNPT-VCI and published on April 12, 2024, represents a significant security risk, particularly for websites relying on the GiveWP plugin for fundraising and donations. The vulnerability could be exploited to perform malicious actions such as stealing cookies, session tokens, or even redirecting donors to malicious websites, thereby undermining the trust and integrity of the fundraising platform. The patched version 3.7.0 corrects this by enhancing the input validation and escape mechanisms, ensuring that the shortcode attributes are properly sanitized before being processed.

Advice for Users:

  • Immediate Action: Users of the GiveWP plugin should immediately update to version 3.7.0 to mitigate this vulnerability and prevent potential exploits.
  • Check for Signs of Vulnerability: Administrators should monitor their website logs and check for any unusual activities or unauthorized script executions that could indicate past exploitations.
  • Alternate Plugins: While the current patch resolves the issue, users concerned about security might evaluate other fundraising plugins that have robust security measures in place.
  • Stay Updated: Maintaining up-to-date versions of all WordPress plugins is crucial in protecting your site against known vulnerabilities and enhancing site functionality.

Conclusion:

The prompt update provided by the developers of GiveWP following the discovery of this XSS vulnerability highlights the importance of quick and effective responses in the digital security landscape. Website administrators, particularly those managing donation platforms, are reminded of the critical need to keep their software updated and to implement comprehensive security practices to safeguard donor information and maintain trust.

References:

Detailed Report: 

The integrity of digital platforms is crucial, especially for non-profit organizations that rely heavily on online donations. A recent security flaw in the GiveWP – Donation Plugin and Fundraising Platform, which is utilized by over 100,000 websites, highlights the ongoing challenge of maintaining secure digital environments. The vulnerability, identified as CVE-2024-1957, allowed users with basic contributor access to manipulate web pages by injecting malicious scripts via the plugin's shortcode, posing significant risks to site security and user data.

Summary:

The identified security issue in versions up to and including 3.6.1 of GiveWP enabled lower-level users to execute unauthorized code through the platform's shortcode system. Addressing this, the developers have released an update in version 3.7.0, which rectifies the input validation flaw.

Detailed Overview:

Discovered and reported by Ngô Thiên An of VNPT-VCI, this vulnerability posed a significant threat by allowing simple contributor roles to inject scripts that could alter the behavior of web pages or steal private information from unsuspecting visitors. Such vulnerabilities could drastically undermine user trust and the effectiveness of fundraising campaigns. Thankfully, with the introduction of version 3.7.0, enhanced security protocols now prevent such exploits, ensuring that shortcode inputs are thoroughly sanitized.

Conclusion:

This swift resolution following the discovery of CVE-2024-1957 by GiveWP's developers emphasizes the importance of rapid update deployment in the digital security ecosystem. For site administrators, especially those in charge of handling sensitive information like donations, staying updated is non-negotiable. It's crucial for protecting not just your data but also the trust and safety of your users.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

GiveWP Vulnerability – Donation Plugin and Fundraising Platform – Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode – CVE-2024-1957 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment