Over 100,000 WordPress Websites Vulnerable to Takeover Due to Critical Donation Plugin Flaw

Defiant, a WordPress security firm, recently revealed that a severe vulnerability in the GiveWP WordPress donation plugin could expose over 100,000 websites to takeover attacks.

The flaw, tracked as CVE-2024-5932 and with a CVSS score of 10/10, could let threat actors execute code remotely and delete arbitrary files on vulnerable websites.

Flaw Stems From a PHP Object Injection

According to its description, the vulnerability stems from a PHP object injection that occurs through the deserialization of untrusted input supplied to the give_title parameter.

Unauthenticated attackers could exploit the flaw to inject a PHP object; leveraging an additional Property Oriented Programming (POP) flaw could allow them to execute arbitrary code on the server remotely and delete files at will.

Improper Sanitization Could Lead to Full Website Takeovers

PHP serialization is typically used for storing complex data structures; however, when this serialized data includes PHP objects, it can become a vector for attacks if not properly sanitized upon deserialization.

In such a scenario, perpetrators could manipulate deserialized objects to trigger special functions, commonly known as “magic methods,” which could lead to full website takeovers.

Plugin Functionality and Impact

GiveWP, the affected WordPress plugin, is widely used for donation and fundraising efforts. The vulnerability specifically affects the way the plugin handles the give_title post parameter, which is not included in the validation process of serialized values during donation processing.

The plugin then uses additional functions for processing and storing the user-supplied information. This includes collecting and storing user titles based on the give_title post parameter, which, if manipulated, leads to the aforementioned security risks.

Update Immediately to Mitigate Risks

Developers addressed the issue by releasing version 3.14.2 of the vulnerable plugin. Owners of WordPress websites that use this plugin should immediately update the plugin to its latest version to mitigate risks associated with this flaw.

Despite the fix, there is a significant concern that tens of thousands of websites remain unpatched, particularly troubling given the plugin’s extensive download activity—over 60,000 downloads in the past week alone, according to WordPress statistics.