More than a hundred thousand WordPress websites are reportedly vulnerable to an exploit which allows threat actors to run malicious code remotely and completely unauthenticated, as well as being able to delete arbitrary files at will.
A cybersecurity researcher with the alias villu164, discovered a 10/10 vulnerability in a WordPress plugin called GiveWP, which is designed to facilitate online donations, making it easier for nonprofits, charities, and other organizations to collect funds directly through their websites.
The researcher found a PHP Object Injection vulnerability, stemming from a function that validates and sanitizes form data (including payment information) before it passes it to the specified gateway.
A patch is available
The vulnerability is tracked as CVE-2024-5932, and is found in all versions of the plugin, up to 3.14.2, which was released on August 7 2024 and fixes the problem. The bug “makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files,” WordPress security researchers Wordfence said in its report.
“We encourage WordPress users to verify that their sites are updated to the latest patched version of GiveWP as soon as possible considering the critical nature of this vulnerability,” Wordfence concluded. At press time, the latest version of the plugin was 3.15, which was released a week ago. The plugin has 100,000+ active installations, and is available in 24 languages.
The researcher who discovered the flaw, villu164, has earned themselves a $5,000 bounty reward for discovering the flaw.
WordPress is the world’s number one website builder platform, powering roughly half of all websites in existence. While it is generally considered secure, it offers a store with thousands of plugins and themes, not all of which are as secure as the underlying platform itself.
Via The Hacker News