A recent revelation has brought to light a critical security flaw in the WordPress GiveWP donation and fundraising plugin, leaving over 100,000 websites vulnerable to remote code execution attacks.
Identified as CVE-2024-5932 with a CVSS score of 10.0, the vulnerability affects all versions of the plugin prior to the release of version 3.14.2 on August 7, 2024. The flaw was first reported by security researcher villu164.
According to a report by Wordfence, the flaw in the GiveWP plugin allows unauthenticated attackers to conduct PHP Object Injection by deserializing untrusted input from the ‘give_title’ parameter. This manipulation, coupled with a POP chain, enables malicious actors to execute remote code and delete arbitrary files.
The security loophole stems from a function called “give_process_donation_form(),” responsible for validating and sanitizing form data before transmitting donation details, including payment information, to the specified gateway.
It is imperative for users to update their plugin to version 3.14.2 to prevent authenticated threat actors from exploiting the vulnerability to execute malicious code on the server.
Aside from the GiveWP plugin, other WordPress vulnerabilities have also been uncovered recently, such as the one affecting the InPost PL and InPost for WooCommerce plugins. Moreover, the JS Help Desk plugin has also been found to have a critical PHP code injection flaw.
Furthermore, various other WordPress plugins have been found to contain security flaws, such as the 简数采集器 (Keydatas) plugin, BookingPress appointment booking plugin, and Modern Events Calendar plugin, among others.
Addressing these vulnerabilities promptly is crucial to prevent cyberattacks that may exploit them to deploy credit card skimmers capable of stealing financial information.
Sucuri recently highlighted a skimmer campaign targeting PrestaShop e-commerce sites with malicious JavaScript utilizing a WebSocket connection to pilfer credit card details.
WordPress site owners are advised against using nulled plugins and themes, as they pose a serious risk of malware infiltration and other malicious activities. Opting for legitimate plugins and themes is crucial for maintaining website security and integrity.