A major security flaw in a donation plugin for WordPress, known as CVE-2024-5932, has left more than 100,000 websites vulnerable to attacks.1
With a critical score of 10/10, this issue allows hackers to take control of websites by running harmful code and deleting important files.
Websites that haven’t updated the plugin are at risk of being targeted by attackers so site owners need to apply the necessary security patch right away.
Who Found The Vulnerability
Wordfence reported that on May 26th, 2024, they received a submission detailing a critical vulnerability in the GiveWP WordPress plugin, which has over 100,000 active users. This flaw, an unauthenticated PHP Object Injection to Remote Code Execution, can be exploited via an existing POP chain in the plugin, allowing attackers to run remote code and delete files.
Researcher villu164, who responsibly reported it through the Wordfence Bug Bounty Program, earned a bug bounty reward of $4,998 for the discovery.
The problem is caused by a flaw in how PHP handles certain data, specifically when it processes data from the give_title field that it doesn’t trust.
Hackers who aren’t logged in can take advantage of this issue to insert a PHP object. If they also use another Property Oriented Programming (POP) flaw, they could run any code they want on the server and even delete files.
Recent Updates
The problem was fixed with the release of version 3.14.2 of the affected plugin. If you have a WordPress site using this plugin, you should update it to the latest version right away to avoid risks.
Even with the fix, there’s a big worry because many websites still haven’t updated. This is especially concerning since the plugin has been downloaded over 60,000 times just in the past week, according to WordPress stats.
Why Is Security Patching Important?
When a security flaw is discovered in a plugin or software, developers usually release an update to fix the issue. If you don’t install these updates, your website can remain vulnerable to attacks that exploit these flaws.
In an episode of The Cybersecurity Insider podcast, security experts advise that you need to make sure that patches are installed correctly. Updating your website’s plugins and software helps keep hackers out and protects your site from possible attacks. Even if a fix is available, many sites might still be exposed if they haven’t been updated yet. This is why it’s important to regularly check for updates and apply them as soon as possible.
Ignoring these updates can lead to serious problems, such as unauthorized access to your website or loss of important data. In the case of the recent plugin issue, thousands of sites remained at risk until they were updated. By staying on top of security patches, you help safeguard your site from these risks and keep your online presence secure.
FAQ
How Vulnerable Are WordPress Sites?
WordPress sites can be vulnerable if not properly maintained. They can be at risk from outdated plugins, weak passwords, or security flaws. To keep your site safe, regularly update your plugins and WordPress version, use strong passwords, and install security plugins. These steps will help protect your site from sudden threats.
Why Is It Important To Keep WordPress Security Up-to-date?
Keeping your WordPress security updated is important because it protects your site from hackers and attacks, closes security flaws and vulnerabilities, and keeps your site safe. Regularly updating ensures you have the latest protections and helps prevent issues like data loss or unauthorized access.
What Happens If Security Patches Are Not Installed?
If you don’t install security patches, your site remains vulnerable to attacks. Hackers can exploit these weaknesses, leading to data loss or unauthorized access. It’s best to update regularly to stay protected. The 2Secure team recommends that you patching your systems now so that your site remains secure.
Source:
- NVD – CVE-2024-5932. (2024). Nist.gov. https://nvd.nist.gov/vuln/detail/CVE-2024-5932