Detections
Analytics
WordPress Plugin 'GiveWP - Donation Plugin and Fundraising Platform' < 3.14.2 RCE
critical Nessus Plugin ID 205871
Language:
Synopsis
The remote WordPress application has a plugin installed that is affected by a remote code execution vulnerability.Description
The WordPress application running on the remote host has a version of the 'GiveWP - Donation Plugin and Fundraising Platform' plugin that is prior to 3.14.2. It is, therefore, affected by a remote code execution vulnerability. Deserialization of malicious PHP objects injected through the 'give_title' parameter can allow an unauthenticated, remote attacker to execute code remotely and delete arbitrary files.Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Update the 'GiveWP - Donation Plugin and Fundraising Platform' plugin to version 3.14.2 or later through the administrative dashboard.See Also
https://wordpress.org/plugins/give/
Plugin Details
Severity: Critical
ID: 205871
File Name: wordpress_plugin_givewp_CVE-2024-5932.nasl
Version: 1.6
Type: remote
Family: CGI abuses
Published: 8/20/2024
Updated: 10/25/2024
Supported Sensors: Nessus
Enable CGI Scanning: true
Risk Information
VPR
Risk Factor: Critical
Score: 9.4
CVSS v2
Risk Factor: Critical
Base Score: 10
Temporal Score: 8.3
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2024-5932
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 9.1
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:givewp:givewp
Required KB Items: installed_sw/WordPress, www/PHP
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 8/7/2024
Vulnerability Publication Date: 8/19/2024
Exploitable With
Metasploit (GiveWP Unauthenticated Donation Process Exploit)
Reference Information
CVE: CVE-2024-5932