CVE-2024-8353 Scanner
CVE-2024-8353 Scanner - PHP Object Injection vulnerability in GiveWP Donation Plugin
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
2 weeks 4 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
-
The GiveWP Donation Plugin is widely utilized by nonprofits and other organizations that seek to collect donations via their WordPress sites. It streamlines the fundraising process, integrating with various payment gateways to facilitate online donations. Due to its popularity, it is a frequent target for security assessments and audits. GiveWP assists in managing donor data, processing transactions, and generating reports essential functions for organizations reliant on donor contributions. Given its critical role in fundraising, maintaining the security of the GiveWP Donation Plugin is of paramount importance. Issues in such plugins can have widespread repercussions, impacting not just the organization but its donors as well.
PHP Object Injection remains a prominent security concern in web applications such as GiveWP. This vulnerability arises when user-supplied input isn't adequately validated, permitting malicious actors to upload serialized objects. If a system contains a suitable POP chain, these objects can execute arbitrary PHP code, potentially compromising the host by ransomware or total shutdown. Due to its critical nature, mitigating PHP Object Injection vulnerabilities must be prioritized in security patches. Without resolution, malicious parties could extract sensitive donor, transaction, and organizational data. Heatmaps of targeted sites highlight the necessity for strict input validation measures.
The vulnerability exists due to inadequate validation of user data within the GiveWP Donation Plugin, allowing malicious payloads to bypass security checks. Specifically, the plugin version <= 3.16.1 fails to sanitize input properly before it is deserialized, leaving it susceptible to injection attacks. The endpoint affected is typically accessed via POST requests to `admin-ajax.php`, with parameters such as `give-form-id` and `give-process-donation` being involved. Attackers leverage these parameters to insert nefarious payloads designed to trigger unsafe deserialization. When executed on a vulnerable system, the payload can perform unauthorized actions such as executing PHP code.
If the PHP Object Injection vulnerability is exploited within the GiveWP Donation Plugin, it could lead to severe consequences. An attacker could gain unauthorized access to the server, potentially executing arbitrary code and ultimately fully compromising the website. This could result in unauthorized access to sensitive information like donor details or financial transactions. Furthermore, a successful exploit could give attackers the ability to modify donation data, redirect payments, or inject malware into the site. Consequently, the integrity of the organization's digital infrastructure could be severely damaged, tarnishing its reputation and undermining donor trust.
REFERENCES
- https://nvd.nist.gov/vuln/detail/CVE-2024-8353
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/give/givewp-donation-plugin-and-fundraising-platform-3161-unauthenticated-php-object-injection
- https://plugins.trac.wordpress.org/browser/give/trunk/readme.txt
- https://plugins.trac.wordpress.org/browser/give/tags/3.16.0/includes/process-donation.php#L154
