Critical Vulnerabilities leading to RCE in WordPress (CVE-2024-5932, CVE-2024-7777)

Advisory No: TZCERT/SA/2024/08/20

Date of First Release: 20^th August 2024

Source: Wordfence

Software Affected: give, bit-form

Overview:

WordPress is vulnerable to two critical vulnerabilities. Exploitation of these vulnerabilities may allow an unauthenticated attacker to execute code remotely.

Description:

WordPress plugins give, and bit-formare affected by the vulnerabilities tracked as CVE-2024-5932, and CVE-2024-7777 with CVSS scores of 10 and 9 respectively. The plugins are vulnerable to deserialization of untrusted input from the ‘give_title’ parameter, and arbitrary file read and deletion due to insufficient file path validation. Remote attackers can exploit the vulnerabilities to execute remote codes on the affected system.

Impact:

Successful exploitation of these vulnerabilities may allow the attackers to take control of the affected system.

Solution:

WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References:

1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/give/givewp-donation-plugin-and-fundraising-platform-3141-unauthenticated-php-object-injection-to-remote-code-execution
2. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/bit-form/contact-form-by-bit-form-multi-step-form-calculation-contact-form-payment-contact-form-custom-contact-form-builder-20-2139-authenticated-administrator-arbitrary-file-read-and-deletion