WordPress Plugin Vulnerability Report – GiveWP – Cross-Site Request Forgery – CVE-2023-4247, CVE-2023-4248

Plugin Name: GiveWP

Key Information:

  • Software Type: Plugin
  • Software Slug: give
  • Software Status: Active
  • Software Author: webdevmattcrom
  • Software Downloads: 6,043,447
  • Active Installs: 100,000
  • Last Updated: October 31, 2023
  • Patched Versions: 2.33.4
  • Affected Versions: <= 2.33.3

Vulnerability 1 Details:

  • Name: GiveWP <= 2.33.3 - Cross-Site Request Forgery to plugin deactivation
  • Title: Cross-Site Request Forgery to plugin deactivation
  • Type: Cross-Site Request Forgery (CSRF)
  • CVE: CVE-2023-4247
  • CVSS Score: 5.4 (Medium)
  • Publicly Published: October 31, 2023
  • Researcher: Marco Wotschka
  • Description: The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.33.3. This is due to missing or incorrect nonce validation on the give_sendwp_disconnect function. This makes it possible for unauthenticated attackers to deactivate the SendWP plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Vulnerability 2 Details:

  • Name: GiveWP <= 2.33.3 - Cross-Site Request Forgery to Stripe Integration Deletion
  • Title: Cross-Site Request Forgery to Stripe Integration Deletion
  • Type: Cross-Site Request Forgery (CSRF)
  • CVE: CVE-2023-4248
  • CVSS Score: 5.4 (Medium)
  • Publicly Published: October 31, 2023
  • Researcher: Marco Wotschka
  • Description: The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.33.3. This is due to missing or incorrect nonce validation on the give_stripe_disconnect_connect_stripe_account function. This makes it possible for unauthenticated attackers to deactivate the plugin's stripe integration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Summary:

The GiveWP plugin for WordPress has vulnerabilities in versions up to and including 2.33.3 that allow Cross-Site Request Forgery attacks. These vulnerabilities have been patched in version 2.33.4.

Detailed Overview:

The researcher Marco Wotschka disclosed two Cross-Site Request Forgery (CSRF) vulnerabilities in GiveWP affecting versions up to and including 2.33.3. The first allows unauthenticated attackers to deactivate the SendWP plugin if they can trick an admin into clicking a malicious link. The second allows attackers to delete the plugin's Stripe integration settings through a forged request. These vulnerabilities are due to missing or incorrect nonce validation on certain functions. CSRF attacks allow malicious actors to perform actions on behalf of authenticated users without their consent or knowledge. These could have serious impacts on sites relying on GiveWP for donations and payments. Users are urged to update to version 2.33.4 as soon as possible to mitigate these vulnerabilities.

Advice for Users:

  1. Immediate Action: Update to version 2.33.4 or higher as soon as possible.
  2. Check for Signs of Vulnerability: Review Stripe integration settings and plugin list to see if changes have been made without your knowledge.
  3. Alternate Plugins: Consider alternative donation plugins like WP Donations as a precaution.
  4. Stay Updated: Always keep your plugins updated to avoid vulnerabilities.

Conclusion:

The quick response by GiveWP developers to patch these vulnerabilities shows their commitment to security. Users should install version 2.33.4 immediately to close these CSRF vulnerabilities. Proper nonce validation in future releases will help prevent similar issues going forward.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/give

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/give/givewp-2333-cross-site-request-forgery-to-plugin-deactivation

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/give/givewp-2333-cross-site-request-forgery-to-stripe-integration-deletion

Detailed Report

Keeping your WordPress website and its plugins up-to-date is critical for security. Unfortunately, many site owners neglect updates, leaving their sites exposed to vulnerabilities. This was recently demonstrated by two dangerous CSRF flaws found in popular donation plugin GiveWP affecting versions up to 2.33.3. These vulnerabilities allow attackers to quietly deactivate other plugins or delete payment integration settings in the background through forged requests. Successful exploitation of these flaws could seriously disrupt site operations and functionality.

GiveWP is one of the most widely used donation and payment plugins for WordPress, with over 6 million downloads and 100,000 active installs. Recently, security researcher Marco Wotschka disclosed two critical vulnerabilities in GiveWP versions up to and including 2.33.3:

  • CVE-2023-4247 - Cross-Site Request Forgery (CSRF) to plugin deactivation
  • CVE-2023-4248 - Cross-Site Request Forgery (CSRF) to Stripe integration deletion

These vulnerabilities allow unauthenticated remote attackers to trick authenticated admins into clicking malicious links that can automatically deactivate other plugins or delete Stripe payment settings without any notification. This is done by exploiting the lack of proper nonce validation on certain GiveWP functions.

The potential impacts of these flaws are serious - attackers could disrupt donations, remove security plugins, or tamper with ecommerce functionality through subtle CSRF attacks. The CVSS score for these vulnerabilities is 5.4 (Medium severity).

While GiveWP has provided a patched update fixing these issues (version 2.33.4), many sites likely still run outdated and vulnerable versions. We highly recommend updating GiveWP to version 2.33.4 immediately to close these CSRF holes.

For site owners concerned about their security, this incident is an important reminder to never ignore updates for WordPress or its plugins. Running the latest software is the best defense against vulnerabilities being actively exploited in the wild.

In addition to these recent CSRF flaws, GiveWP has had 33 previous vulnerabilities reported since 2015. This highlights the ongoing security risks of outdated WordPress plugins. Small business owners with limited time and resources can improve their security by using a managed WordPress host that handles updates and security monitoring.

Staying on top of WordPress and plugin updates is tedious but critical work. Neglecting to update leaves sites open to attack. While GiveWP promptly addressed these issues, many site owners remain needlessly vulnerable. We urge users to update GiveWP as soon as possible and implement ongoing security best practices. Don't let your website be the next exploited by attackers - update early and often!

Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.

Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.

WordPress Plugin Vulnerability Report – GiveWP – Cross-Site Request Forgery – CVE-2023-4247, CVE-2023-4248 FAQs

Leave a Comment