CVE CyberSecurity Database News

CVE-2024-5932 - Critical PHP Object Injection Vulnerability in GiveWP WordPress Plugin (Up to 3.14.1) – Exploit Details and Mitigation

Poster -

---

What is CVE-2024-5932?

*CVE-2024-5932* refers to a serious vulnerability found in the GiveWP – Donation Plugin and Fundraising Platform for WordPress, affecting all versions up to and including 3.14.1. This flaw allows attackers to exploit a weakness in how the plugin handles the give_title parameter. By sending specially crafted data, a remote, unauthenticated attacker can inject PHP objects into the server’s memory. With the right conditions, this can lead not only to malicious code execution but also to deleting any file on the website’s file system.

Why is it Dangerous?

This vulnerability enables what’s called a _PHP Object Injection_. If there is another vulnerability in the code called a “POP chain” (Property Oriented Programming chain), the attacker can execute arbitrary PHP code, resulting in Remote Code Execution (RCE) or deletion of any file (arbitrary file deletion). Worse still, this can be triggered without logging in—meaning any website visitor can launch the attack.

How Does the Exploit Work?

The key issue is the handling of the give_title parameter. If an attacker submits serialized PHP objects into this field and the plugin then deserializes the data, the attacker can get their malicious objects instantiated and executed on the server.

*A simple attack flow might look like:*

1. Attacker crafts a malicious serialized PHP object, possibly using a class present on the WordPress site that, when deserialized, executes code or deletes files.
2. Attacker sends a POST request with the malicious payload in the give_title parameter to an endpoint handled by GiveWP.
3. Plugin unserializes the attacker’s data—if a POP chain is present, attacker wins: code runs or files get deleted.

Example Exploit Code

Below is a simplified Python example to send a malicious payload (for demo purposes only!). In an actual attack, the payload would depend on available PHP classes that can be abused in the website’s codebase.

import requests

# Host details
target_url = "https://vulnerable-website.com/?give_forms=1";

# Malicious PHP serialized payload (example: crafted using PHPGGC and selected gadget)
malicious_payload = 'O:6:"Gadget":1:{s:4:"file";s:15:"/var/www/wp-config.php";}'

payload = {
    "give_title": malicious_payload,  # Inject the serialized object here
    "give_form_id": 1,
}

r = requests.post(target_url, data=payload)
print(f"HTTP {r.status_code}\n{r.text[:500]}")

*Note: Replace the payload string with one generated for the exact class/POP chain available on the target.*

How Attackers Generate the Payload

Attackers often rely on tools like PHPGGC to find usable “gadget chains” for deserialization. A real payload would be different for each site, as it depends on which PHP classes are loaded—core, plugins, themes, or custom code.

Risks

- Remote Code Execution (RCE): The worst-case scenario. If a POP chain allows, attackers could upload backdoors or execute system commands.
- Arbitrary File Deletion: Removal of critical configuration files like wp-config.php will break the website or compromise sensitive information.

Real-World Impact

Attackers who know about this bug can break or take over any vulnerable WordPress site using GiveWP unless the plugin is updated promptly. Unauthenticated bugs mean mass exploitation by bots is likely.


## Fix / Mitigation

What site owners and admins should do

- Update GiveWP immediately to the latest version from the official WordPress repository.
- Check for suspicious activity, such as new admin users, changes in files, or deleted configuration files.

References

- NVD Entry: CVE-2024-5932
- GiveWP WordPress Plugin Repository
- WPScan Vulnerability Database – GiveWP
- How PHP Object Injection Works (OWASP)
- PHPGGC POP Chain Generator

Summary

If you use GiveWP for WordPress—update it now. The CVE-2024-5932 vulnerability can let any attacker run code or erase important files on your website. All versions up to 3.14.1 are affected. This threat is serious, easy to exploit, and will likely be targeted by attackers quickly.

Timeline

Published on: 08/20/2024 02:15:04 UTC
Last modified on: 08/20/2024 15:44:20 UTC