CVE CyberSecurity Database News

CVE-2024-11921 - Exploiting Reflected XSS in GiveWP WordPress Plugin < 3.19.

Poster -

> Summary:
GiveWP, a popular WordPress donation plugin, had a dangerous security flaw (CVE-2024-11921) in versions before 3.19.. This bug allowed reflected Cross-Site Scripting (XSS) attacks by failing to properly sanitize user input. Attackers could trick even admin-level users into running harmful scripts—possibly taking control of their site.
Exclusive breakdown: below is a clear explanation, a code example, and what you should do.

What is GiveWP?

GiveWP helps non-profits and websites collect donations easily via WordPress. It's one of the most-installed and trusted plugins for online fundraising.

CVE-2024-11921 is a vulnerability found in GiveWP plugin versions before 3.19..

- The plugin fails to sanitize user-supplied data in one of its URL parameters before displaying it back in the page.
- When an attacker sends a crafted link to a user (for example, an admin), the malicious JavaScript is executed in the user’s browser.

Reflected XSS means this code only runs when someone clicks a crafted link—it’s not permanently stored in the site.

Technical Details

Let’s say the plugin had a page that echoes back a parameter called form-id directly into the HTML without cleaning it. For instance, accessing:

https://victim.com/donations?form-id=VALUE_HERE

The plugin would display form-id back into the page—possibly in an error, confirmation, or log area.

If the plugin does not sanitize this value, an attacker could use

https://victim.com/donations?form-id=%3Cscript%3Ealert('XSS')%3C/script%3E

Vulnerable PHP Snippet

// Example vulnerable code
<?php
$form_id = $_GET['form-id'];
echo "Form ID: " . $form_id; // Output is not sanitized!
?>

If you visit

/donations?form-id=<script>alert('XSS')</script>

The output will show

Form ID: <script>alert('XSS')</script>

The browser runs the script.

`

https://yourdonationsite.com/donations?form-id=

Adds malicious plugins, backdoors, etc.

*Because GiveWP integrates with payment gateways and sensitive donor info, a successful attack could be very damaging!*

Update GiveWP right now:

3.19. changelog shows the vulnerability is patched.

More Reading:

- Wordfence Advisory
- Official PATCH
- NVD Entry

You can test the vulnerability (on your own staging site only) with this URL

https://testsite.com/donations?form-id=<script>alert(document.domain)</script>;

If you see a popup, you’re vulnerable.

Always sanitize data that goes into HTML from user input.

GiveWP has patched this XSS. But this incident is a reminder that even trusted plugins can have dangerous bugs. Stay vigilant, keep plugins updated, and check all user input in your custom code!

Stay secure!

---
*References:*
- Wordfence Advisory on CVE-2024-11921
- GiveWP GitHub Pull Fix #552
- National Vulnerability Database


*If you found this helpful, stay tuned for more WordPress security explainers!*

Timeline

Published on: 12/27/2024 06:15:23 UTC
Last modified on: 12/27/2024 19:15:07 UTC