GiveWP Vulnerability– Donation Plugin and Fundraising Platform – Multiple Vulnerabilities – CVE-2024-5939, CVE-2024-5940, CVE-2024-5941, CVE-2024-5932 | WordPress Plugin Vulnerability Report

Plugin Name: GiveWP – Donation Plugin and Fundraising Platform

Key Information:

  • Software Type: Plugin
  • Software Slug: give
  • Software Status: Active
  • Software Author: webdevmattcrom
  • Software Downloads: 7,784,276
  • Active Installs: 100,000
  • Last Updated: August 19, 2024
  • Patched Versions: 3.14.0, 3.14.2
  • Affected Versions: <= 3.13.0, <= 3.14.1

Vulnerability 1 Details:

  • Name: GiveWP – Donation Plugin and Fundraising Platform <= 3.13.0
  • Title: Missing Authorization to Unauthenticated Event Settings Update
  • Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
  • CVE: CVE-2024-5940
  • CVSS Score: 6.5
  • Publicly Published: August 19, 2024
  • Researcher: villu164
  • Description: The GiveWP plugin is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_request' function in all versions up to and including 3.13.0. This flaw allows unauthenticated attackers to edit event ticket settings if the Events beta feature is enabled.

Vulnerability 2 Details:

  • Name: GiveWP – Donation Plugin and Fundraising Platform <= 3.14.1
  • Title: Missing Authorization to Authenticated (Subscriber+) Limited File Deletion
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
  • CVE: CVE-2024-5941
  • CVSS Score: 5.4
  • Publicly Published: August 19, 2024
  • Researcher: villu164
  • Description: The GiveWP plugin is also vulnerable to unauthorized access and deletion of data due to a missing capability check on the 'handle_request' function in all versions up to and including 3.14.1. This flaw allows authenticated attackers with Subscriber-level access and above to read attachment paths and delete attachment files.

Vulnerability 3 Details:

  • Name: GiveWP – Donation Plugin and Fundraising Platform <= 3.13.0
  • Title: Missing Authorization to Limited Information Exposure
  • Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVE: CVE-2024-5939
  • CVSS Score: 5.3
  • Publicly Published: August 19, 2024
  • Researcher: villu164
  • Description: The GiveWP plugin is vulnerable to unauthorized access of data due to a missing capability check on the 'setup_wizard' function in all versions up to and including 3.13.0. This flaw allows unauthenticated attackers to read the setup wizard administrative pages, potentially exposing sensitive information.

Vulnerability 4 Details:

  • Name: GiveWP – Donation Plugin and Fundraising Platform <= 3.14.1
  • Title: Unauthenticated PHP Object Injection to Remote Code Execution
  • Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • CVE: CVE-2024-5932
  • CVSS Score: 10
  • Publicly Published: August 19, 2024
  • Researcher: villu164
  • Description: The GiveWP plugin is vulnerable to PHP Object Injection in all versions up to and including 3.14.1 due to deserialization of untrusted input from the 'give_title' parameter. This critical flaw allows unauthenticated attackers to inject a PHP Object. The presence of a POP chain enables attackers to execute code remotely and delete arbitrary files, potentially leading to complete site compromise.

Summary:

The GiveWP – Donation Plugin and Fundraising Platform for WordPress has multiple vulnerabilities in versions up to and including 3.13.0 and 3.14.1. These vulnerabilities range from unauthorized data modification and limited information exposure to a critical PHP Object Injection flaw that can lead to remote code execution. These vulnerabilities have been patched in versions 3.14.0 and 3.14.2.

Detailed Overview:

The vulnerabilities affecting the GiveWP plugin, identified as CVE-2024-5939, CVE-2024-5940, CVE-2024-5941, and CVE-2024-5932, were discovered by security researcher villu164. These vulnerabilities expose sites using the GiveWP plugin to various risks, including unauthorized data access, modification, and deletion, as well as the potential for remote code execution via PHP Object Injection.

The most critical of these is CVE-2024-5932, with a CVSS score of 10, which allows unauthenticated attackers to inject PHP Objects through the 'give_title' parameter. The presence of a POP chain enables attackers to execute arbitrary code, potentially leading to complete site takeover.

Other vulnerabilities, such as CVE-2024-5940 and CVE-2024-5941, involve missing authorization checks that allow attackers to modify event settings and delete files without proper permissions. CVE-2024-5939 exposes the setup wizard administrative pages, which could reveal sensitive information to unauthorized users.

Given the severity of these vulnerabilities, it is crucial for site owners to take immediate action to protect their WordPress installations.

Advice for Users:

Immediate Action: Users of the GiveWP plugin should update to the patched versions 3.14.0 and 3.14.2 immediately to secure their sites from these vulnerabilities.

Check for Signs of Vulnerability: Review your site for any unusual activity, particularly in relation to event settings, file deletions, and administrative page access. If you notice any suspicious changes, your site may have been compromised.

Alternate Plugins: While a patch is available, users might consider exploring alternative donation and fundraising plugins if they are concerned about the security history of the GiveWP plugin.

Stay Updated: Always ensure that your WordPress plugins are updated to the latest versions to avoid vulnerabilities.

Conclusion:

The prompt response from the GiveWP plugin developers to patch these vulnerabilities underscores the importance of timely updates. However, managing updates and maintaining site security can be challenging for small business owners who may not have the time or expertise to handle these tasks.

If you’re concerned about your website’s security or find it difficult to keep up with necessary updates, consider seeking professional assistance. Keeping your site secure from vulnerabilities like these is essential for maintaining the trust and safety of your customers.

References:

Detailed Report: 

In today’s digital landscape, maintaining the security of your WordPress website is more important than ever. One of the key aspects of protecting your site is ensuring that all your plugins are regularly updated. Outdated plugins can leave your site vulnerable to attacks, potentially leading to unauthorized data access, site defacement, or even a complete takeover by malicious actors. A recent and alarming example of this is the discovery of multiple vulnerabilities in the widely-used GiveWP – Donation Plugin and Fundraising Platform, which is active on over 100,000 WordPress sites.

Plugin Overview

The GiveWP – Donation Plugin and Fundraising Platform is a popular tool designed to help non-profits and charities manage online donations and fundraising efforts. Developed by webdevmattcrom, the plugin has been downloaded over 7.7 million times, with more than 100,000 active installations. Its extensive features make it a valuable resource for organizations looking to streamline their donation processes. However, with such widespread use comes the responsibility to keep the plugin updated to protect against security vulnerabilities.

As of its last update on August 19, 2024, the plugin received critical patches in versions 3.14.0 and 3.14.2, addressing several severe security vulnerabilities.

Details of the Vulnerabilities

The vulnerabilities affecting the GiveWP plugin, identified as CVE-2024-5939, CVE-2024-5940, CVE-2024-5941, and CVE-2024-5932, were discovered by security researcher villu164. These vulnerabilities expose sites using the GiveWP plugin to various risks, ranging from unauthorized data access to full site compromise.

  1. CVE-2024-5939: This vulnerability allows unauthorized access to the setup wizard administrative pages due to a missing capability check on the 'setup_wizard' function. If exploited, attackers can read sensitive information from these pages.
  2. CVE-2024-5940: This flaw allows unauthenticated attackers to edit event ticket settings if the Events beta feature is enabled. The vulnerability stems from a missing capability check on the 'handle_request' function.
  3. CVE-2024-5941: This vulnerability permits authenticated attackers with Subscriber-level access or higher to delete files and read attachment paths. It is caused by a missing capability check on the 'handle_request' function, similar to the previous vulnerability.
  4. CVE-2024-5932: The most critical of these vulnerabilities, CVE-2024-5932, involves PHP Object Injection due to deserialization of untrusted input from the 'give_title' parameter. This flaw allows unauthenticated attackers to inject PHP Objects, leading to remote code execution and potentially full site takeover.

Risks and Potential Impacts

For small business owners and non-profits relying on the GiveWP plugin, the risks associated with these vulnerabilities are significant. If exploited, these flaws could:

  • Compromise your website’s security: Unauthorized access to sensitive administrative pages or the ability to delete files can disrupt your operations and expose confidential information.
  • Lead to a full site takeover: The PHP Object Injection vulnerability, with a CVSS score of 10, could allow attackers to execute arbitrary code, gaining complete control over your website.
  • Damage your reputation: A compromised website can lead to a loss of trust from donors and supporters, potentially affecting your fundraising efforts and the credibility of your organization.

How to Remediate the Vulnerabilities

Fortunately, the developers of the GiveWP plugin have released patches in versions 3.14.0 and 3.14.2 to address these vulnerabilities. To secure your website, it is essential to:

  1. Update the Plugin Immediately: Ensure that you are using version 3.14.2 or later. This update closes the vulnerabilities and protects your site from potential exploitation.
  2. Check for Signs of Compromise: Review your site for any unusual activity, particularly in relation to event settings, file deletions, and administrative page access. If you notice any suspicious changes, your site may have been compromised.
  3. Consider Alternative Plugins: While a patch is available, you may want to explore other donation and fundraising plugins, especially if you have concerns about the security history of the GiveWP plugin.

Overview of Previous Vulnerabilities

It’s important to note that these are not the first vulnerabilities affecting the GiveWP plugin. Since April 20, 2015, there have been 45 previous vulnerabilities reported. This history highlights the importance of staying vigilant and ensuring that all plugins, especially those with a history of security issues, are regularly updated and closely monitored.

Conclusion

The prompt response from the GiveWP plugin developers to patch these vulnerabilities underscores the critical importance of staying on top of updates. However, managing updates and ensuring your website’s security can be particularly challenging for small business owners who may not have the time or expertise to handle these tasks.

If you’re concerned about your website’s security or find it difficult to keep up with necessary updates, consider seeking professional assistance. Keeping your site secure from vulnerabilities like these is essential for maintaining the trust and safety of your customers, supporters, and donors. In the ever-evolving landscape of online security, staying proactive is key to protecting your digital assets.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

GiveWP Vulnerability– Donation Plugin and Fundraising Platform – Multiple Vulnerabilities – CVE-2024-5939, CVE-2024-5940, CVE-2024-5941, CVE-2024-5932 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment