GiveWP < 2.33.4 – Cross-Site Request Forgery to Stripe Integration Deletion | CVE 2023-4248 | Plugin Vulnerabilities

Description

The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.33.3. This is due to missing or incorrect nonce validation on the give_stripe_disconnect_connect_stripe_account function. This makes it possible for unauthenticated attackers to deactivate the plugin's stripe integration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Fixed in 2.33.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/2bff8dea-6971-47d4-bd2c-0821687033e5

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Marco Wotschka

Verified

No

WPVDB ID

cca8acb0-5c1d-42e1-a4a3-21695df279c4

Timeline

Publicly Published

2023-10-31 (about 2 years ago)

Added

2023-11-24 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2025-03-21

Title

CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts <= 4.2 - Cross-Site Request Forgery to Font Assignment Deletion

Published

2023-12-26

Title

Rise Blocks – A Complete Gutenberg Page Builder < 3.2 - Cross-Site Request Forgery

Published

2025-01-03

Title

WP Social AutoConnect < 4.6.3 - Cross-Site Request Forgery to Reflected Cross-Site Scripting

Published

2024-04-05

Title

WooCommerce Checkout Field Editor (Checkout Manager) < 2.1.9 - Cross-Site Request Forgery

Published

2024-08-22

Title

Easy Property Listings < 3.5.4 - Arbitrary Contact Deletion via CSRF