CVE-2020-20627 Scanner
CVE-2020-20627 Scanner - Missing Authorization vulnerability in GiveWP
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
23 days 19 hours
Scan only one
URL
Toolbox
GiveWP is a widely used donation plugin for WordPress platforms. It's primarily used by non-profit organizations to facilitate online donations seamlessly. Developed by developers with experience in crowdfunding solutions, the software helps with tracking donor activity and managing fundraising campaigns effectively. GiveWP allows integration with various payment gateways and ensures ease of customization for diverse needs. Its user-friendly interface and extensive support make it a favorite among WordPress site managers. With thousands of active installations, it serves as an essential tool for charity organizations worldwide.
Missing Authorization vulnerabilities occur when applications fail to enforce proper access controls on user-related operations. In this specific case, the GiveWP plugin through version 2.5.9 allows unauthorized users to change settings. This happens due to insecure access in specific admin scripts of the plugin. Exploitation of this flaw can be done without any credentials or user authentication. Such vulnerabilities pose significant risks including unauthorized financial transactions. Ensuring robust authorization mechanisms are in place is crucial to mitigate such vulnerabilities.
The technical details of this vulnerability relate to the lack of proper authorization checks in certain admin actions of the GiveWP plugin. Specifically, the vulnerability exists in the includes/gateways/stripe/includes/admin/admin-actions.php file. Here, the plugins' settings can be altered without requiring authentication. Attackers can perform HTTP GET requests to certain endpoints, passing specific parameters that result in settings modifications. This absence of authentication can lead to unauthorized changes in payment gateway settings. It underscores the necessity of validating user access rights in all administration actions.
When exploited, this vulnerability can lead to severe implications for affected websites, particularly those managing monetary transactions. Attackers could alter payment settings leading to misdirection or capture of donation funds intended for charities. Compromised settings could also facilitate unauthorized transactions, resulting in financial losses or data breaches. The integrity and security of donation records may be affected as well, eroding trust among the donor community. Organizations might face reputational damage and financial repercussions due to these unauthorized modifications. Ensuring proper authorization checks can prevent such potential mishaps.
REFERENCES
- https://blog.nintechnet.com/multiple-vulnerabilities-fixed-in-wordpress-givewp-plugin/
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/give/givewp-259-missing-authorization-to-settings-update
- https://nvd.nist.gov/vuln/detail/CVE-2020-20627
- https://github.com/20142995/nuclei-templates
