Question 1

What is the GiveWP plugin?

Accepted Answer

What is the GiveWP plugin?

The GiveWP plugin is a widely used WordPress plugin for accepting donations on websites. With over 6 million downloads and 100,000 active installs, GiveWP powers donation capabilities for many nonprofit, charity, church, and other websites relying on contributions.

Developed by webdevmattcrom, GiveWP is full-featured plugin that handles everything from forms to collecting payment to tracking donor history and more to enable fundraising online.

Question 2

Why is GiveWP considered vulnerable?

Accepted Answer

Why is GiveWP considered vulnerable?

A vulnerability was recently disclosed impacting GiveWP versions up to and including 3.2.2. The plugin contains a security weakness that enables authenticated users to inject malicious code into pages and posts. Specifically, those with "contributor" level access or higher privileges have the potential to add unauthorized JavaScript payloads. This code will then execute for visiting users, enabling phishing, site hijacking, theft and other threats.

The core issue is insufficient input sanitization and output encoding that would prevent user-supplied scripts from rendering. GiveWP failed to implement the proper protections, allowing dangerous scripts to persist.

Question 3

How can this vulnerability be exploited?

Accepted Answer

How can this vulnerability be exploited?

Attackers would first need to gain contributor access to the vulnerable WordPress site. From there, malicious JavaScript code could be added into GiveWP-powered pages or posts via the editor. For example, a compromised user account could be leveraged or an existing account might be hijacked via credential stuffing.

Once the script has been injected and saved within page content, it would trigger for any user that visits that page. Depending on the payload, an attacker could steal sessions, extract private data, deface sites and more. More targeted phishing or drive-by attacks are also possible depending on the goals of the hacker exploiting this access and code execution vector.

Question 4

What versions of GiveWP are affected?

Accepted Answer

What versions of GiveWP are affected?

GiveWP versions 3.2.2 and earlier contain the authenticated stored cross-site scripting vulnerability enabling malicious code injection. Users running any release in the version 3.x branch up to and including 3.2.2 are impacted and should update immediately.

Those running the latest GiveWP version 3.3.0 have the patch applied and are not affected. This newest version was released on January 19th, 2023 specifically to address this stored XSS threat.

Question 5

What is cross-site scripting and why is it dangerous?

Accepted Answer

What is cross-site scripting and why is it dangerous?

Cross-site scripting, often abbreviated as XSS, is an attack targeting vulnerabilities in web apps' input handling and output encoding. When text input fields fail to sanitize user-supplied data properly, it enables attackers to inject executable code like JavaScript. If this code is then displayed on a page without neutralizing dangerous elements, the scripts can hijack user sessions, extract private data and much more.

Stored XSS is an especially dangerous subset where malicious scripts get stored directly on vulnerable apps, vs just passing through in reflective or DOM-based XSS. Any user that hits an injected page then has that compromised code execute in their browser. Depending on where that code sits - like in this GiveWP vulnerability - a single injection can impact many site visitors.

Question 6

What impacts are possible if my site is compromised via this vulnerability?

Accepted Answer

What impacts are possible if my site is compromised via this vulnerability?

A wide range of threats are possible if an attacker leverages this access vector, depending on their capabilities and motives. Potential impacts include:

Session hijacking and account takeovers by stealing user cookies
Phishing attempts to harvest login credentials
Skimming sensitive donor payment data
Complete site defacements and graffiti
Stealing database contents or installing backdoors
Cryptomining scripts for computational theft
Ransomware or other malware distribution

Attackers could even utilize this initial access as a pivot point to explore underlying server resources depending on site configurations.

Question 7

Is updating to GiveWP 3.3.0 enough to fully mitigate this vulnerability?

Accepted Answer

Is updating to GiveWP 3.3.0 enough to fully mitigate this vulnerability?

Updating to the latest patched GiveWP version is the first critical step in securing sites against this authenticated stored XSS vulnerability. However, additional confirmation is advised to validate that no unauthorized scripts were already injected while running the vulnerable plugin.

Carefully check over all GiveWP-powered pages, posts and forms for signs of malicious code, unexpected iframes or other suspicious inclusions. Also verify no new or altered admin accounts exist. Assuming no other red flags turn up through these checks, the update to 3.3.0 should fully remediate the issue.

Question 8

What other best practices help guard against XSS and related threats?

Accepted Answer

What other best practices help guard against XSS and related threats?

Proper access control, prompt software patching, penetration testing and activity monitoring provide layered defense against vulnerabilities being exploited in general. Specifically guarding against XSS, output encoding, escaping untrusted data, CSP adoption, security headers and enabling WAF rules also help filter and neutralize injection attempts.

For average users however, one of the most fundamental protections is simply using reputable, maintained plugins and themes from developers that follow secure coding principles. Risk exposure from outdated, vulnerable extensions being probed by attackers remains an ongoing issue in the WordPress ecosystem.

Question 9

Who discovered and reported this GiveWP vulnerability?

Accepted Answer

Who discovered and reported this GiveWP vulnerability?

The stored XSS vulnerability within GiveWP was discovered and confidentially reported by a security researcher using the handle "LVT-tholv2k”. After responsible disclosure directly to the GiveWP team, a patch was prepared by lead developer webdevmattcrom and shipped out in version 3.3.0.

Once patched versions were available, LVT-tholv2k published full technical details allowing site owners to understand the risks and update accordingly. This process ensures vulnerabilities get addressed in a coordinated way without enabling any harm in the interim.

Question 10

Should I consider switching from GiveWP after this vulnerability?

Accepted Answer

Should I consider switching from GiveWP after this vulnerability?

The rapid response by the GiveWP team to address this vulnerability is encouraging and a factor to consider before migrating away from the popular plugin. However, with dozens of security issues arising over the past decade impacting millions of GiveWP users repeatedly, confidence has undoubtedly been shaken for some site owners.

Each organization will have to weigh the benefits of GiveWP’s extensive features with the plugin’s track record of vulnerabilities requiring urgent upgrades. For those seeking an alternative, WP Donations offers comparable donation functionality within WordPress. As usual, performing due diligence is key before adopting any new platform.

theft

GiveWP Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2023-51415 | WordPress Plugin Vulnerability Report

Recent Blog Posts

LiteSpeed Cache Vulnerability – Unauthenticated Sensitive Information Exposure via Log Files – CVE-2024-44000 | WordPress Plugin Vulnerability Report

Elementor Addon Elements Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Parameters – CVE-2024-4401, CVE-2024-7122 | WordPress Plugin Vulnerability Report

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid Vulnerability – Authenticated (Contributor+) Information Disclosure – CVE-2024-7418 | WordPress Plugin Vulnerability Report

Additional Resources

About Your WP Guy