MalCare’s Atomic Security Shields Sites From Critical GiveWP PHP Object Injection Vulnerability

A critical level 10 vulnerability in the GiveWP plugin has been discovered and patched. This issue impacted over 100,000 sites. Hackers could exploit it to inject a PHP object, allowing them to execute code remotely and delete files.

If your site uses MalCare’s Atomic Security, there’s no need to worry. Atomic Security is designed to guard against all vulnerabilities, whether known or unknown. It stops exploits targeting vulnerabilities, even before patches are available.

Still, we strongly advise updating the GiveWP plugin on your site as soon as possible, even if you are a MalCare user.

What is the vulnerability?

Plugin information

About the vulnerability

GiveWP is a WordPress plugin that allows websites to accept donations and gifts for charity or other purposes. It boasts customizable donation forms, donor data and fundraising reports, donor management, and integration with a wide variety of third-party gateways and services.

The GiveWP plugin is vulnerable to remote code execution (RCE) attacks through PHP object injection due to the deserialization of untrusted input from the give_title parameter in the code in versions before v3.14.2.  This vulnerability is extremely serious and has received the maximum CVSS score of 10 (Critical).

Examining the code shows that the plugin uses the give_process_donation_form() function to handle donations. Right at the start, this function validates the post data using give_donation_form_validate_fields(). This validation function checks if the post data contains serialized values through give_donation_form_has_serialized_fields().

However, in the vulnerable version, the give_title post parameter is not included in this validation. After validation, the give_process_donation_form() function calls give_get_donation_form_user().

This part of the code sets the user’s user_title based on the give_title post parameter. Next, the give_process_donation_form() function sets $donation_data, which includes $user_info based on the previous user values, and calls give_send_to_gateway().

This function sends all payment data to the specified gateway. During this process, the donor is added using the insert() function in the DonorRepository class.

The prefix meta is saved in the database with the key _give_donor_title_prefix, and its value is the serialized user’s user_title. During payment processing, the _give_donor_title_prefix meta is retrieved with the get_meta() function in the setup_user_info() function of the Give_Payment class, which unserializes the previously saved object.

A PHP POP chain in this setup allows an attacker to execute arbitrary code, delete files, and potentially take over a vulnerable site.

This vulnerability has now been fixed with the release of GiveWP v3.14.2 on August 7, 2024.

Who discovered this vulnerability?

The GiveWP PHP object injection vulnerability was discovered by independent security researcher villu164 on May 26, 2024, who reported it to Wordfence’s Bug Bounty Program. Consequently, Wordfence informed GiveWP, the plugin developers, on June 13, 2024, following which a patch was released on August 7, 2024.

How is your WordPress site at risk?

Your WordPress site is at risk if it is running GiveWP version 3.14.1 or older.

Your site is vulnerable to RCE attacks, which means hackers could inject malicious code from afar. This could allow them to take over as admins and wreak havoc.

Here’s how bad it can get if a hacker gains full access to your site:

We strongly recommend that you update the GiveWP plugin on your WordPress site immediately, at least to v3.14.2, regardless of whether you are a MalCare user or not! Doing so will safeguard your site, protect your reputation, and maintain your visitors’ trust.

How to clean your site?

If your WordPress site is compromised, take these practical steps to recover and strengthen your site’s security:

1. Run a MalCare scan: Use MalCare to quickly remove malware and fortify your site against future attacks with its Atomic Security feature.
2. Update plugins and themes: Regularly update all your plugins and themes, especially the User Registration plugin. Older versions might have vulnerabilities that hackers can exploit. MalCare’s dashboard alerts you about outdated plugins and themes, making maintenance easy and boosting security.
3. Review user roles and permissions: Check the roles and permissions assigned to all users. Revoke access immediately if you find anything suspicious.
4. Refresh WordPress salts and security keys: This will force all users to log out and end active sessions, thereby boosting your site’s security. MalCare includes this step in its cleanup routine for added convenience.
5. Change login credentials: Update your admin password, ensure all user sessions are terminated, advise users to change their passwords, and encourage the use of strong, new passwords.
6. Enhance login security: Implement two-factor authentication (2FA) and limit login attempts to reduce the risk of unauthorized access.
7. Continuously monitor your site: MalCare continuously monitors your site for unusual activities, provides alerts for potential threats, and persistently scans for malware.

How does MalCare protect your site?

A WordPress firewall is just a small part of what MalCare offers for safeguarding your WordPress site. Here’s what else MalCare does:

MalCare wraps your WordPress site in a protective shield, combining proactive measures with strong defenses to keep your site secure and intact.