Thousands of WordPress sites potentially at risk from plugin security flaw

More than a hundred thousand WordPress websites are reportedly vulnerable to an exploit which allows threat actors to run malicious code remotely and completely unauthenticated, as well as being able to delete arbitrary files at will.

A cybersecurity researcher with the alias villu164, discovered a 10/10 vulnerability in a WordPress plugin called GiveWP, which is designed to facilitate online donations, making it easier for nonprofits, charities, and other organizations to collect funds directly through their websites.

The researcher found a PHP Object Injection vulnerability, stemming from a function that validates and sanitizes form data (including payment information) before it passes it to the specified gateway.

A patch is available

The vulnerability is tracked as CVE-2024-5932, and is found in all versions of the plugin, up to 3.14.2, which was released on August 7 2024 and fixes the problem. The bug “makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files,” WordPress security researchers Wordfence said in its report.

“We encourage WordPress users to verify that their sites are updated to the latest patched version of GiveWP as soon as possible considering the critical nature of this vulnerability,” Wordfence concluded. At press time, the latest version of the plugin was 3.15, which was released a week ago. The plugin has 100,000+ active installations, and is available in 24 languages.

The researcher who discovered the flaw, villu164, has earned themselves a $5,000 bounty reward for discovering the flaw.

WordPress is the world’s number one website builder platform, powering roughly half of all websites in existence. While it is generally considered secure, it offers a store with thousands of plugins and themes, not all of which are as secure as the underlying platform itself.

Via The Hacker News

More from TechRadar Pro

https://cdn.mos.cms.futurecdn.net/ebZTsHB4jGup8yK4ebtwyR-1200-80.jpg

Source link

The latest version of open source Photoshop rival GIMP is finally nearing release

You can’t rush art but you should rush to this massive discount: $120 off the Razer Stream Controller at Amazon

Zoom claims it is outperforming the likes of Microsoft Teams when it comes to AI power

Dell Unveils AI and Cybersecurity Solutions at Microsoft Ignite 2024

What UK political parties are promising in the 2019 general election

Otto Warmbier’s parents want North Korea to suffer for their son’s death

Could a ‘youthquake’ cause Boris Johnson to lose the general election?

People are driving through flames to escape this California wildfire

New ‘Westworld’ trailer introduces us to another dystopian tech company

What’s the point of ‘Charlie’s Angels’ without Sam Rockwell dancing?

These striking photos capture the future of human flight

‘Heathers’ is still the best dark comedy about high school hell

Trump vs. Harris: How the election will affect EV adoption

Lumwana’s Super Pit Expansion Officially Launched By Investing.com

How Biden could use a 1947 law to suspend the dockworkers’ strike

Why your Roth IRA conversions could have ‘unintended’ tax consequences

The YouTuber who has become one of Gen Z’s most beloved celebrities

26 last-minute holiday gifts that are still thoughtful and unique

Practicing gratitude regularly can make you less stressed and sleep better

8 things millennials wish you would just stop getting them for the holidays

Thousands of WordPress sites potentially at risk from plugin security flaw

The latest version of open source Photoshop rival GIMP is finally nearing release

You can’t rush art but you should rush to this massive discount: $120 off the Razer Stream Controller at Amazon

Zoom claims it is outperforming the likes of Microsoft Teams when it comes to AI power

Dell Unveils AI and Cybersecurity Solutions at Microsoft Ignite 2024