A Privilege Escalation vulnerability has been identified in the WordPress GiveWP Plugin. This vulnerability could allow a malicious actor with low privileges to escalate their privileges to something higher, such as an administrator account. This could then be used to take full control of the website.
This vulnerability was discovered and responsibly reported by Rafie Muhammad (Patchstack).
The vulnerability is a Privilege Escalation vulnerability that occurs in the give/admin/reports/forms.php file. The vulnerability allows an attacker with low privileges to execute arbitrary PHP code by exploiting a flaw in the way that the plugin handles file uploads.
The vulnerability has a CVSS 3.1 score of 7.2, which is considered to be high. This means that the vulnerability is likely to be exploited and could have a significant impact on the affected system.
The vulnerability affects all versions of the GiveWP Plugin prior to 2.33.1.
An attacker who successfully exploits this vulnerability could:
- Escalate their privileges to something higher, such as an administrator account.
- Take full control of the website.
To secure the website and protect it from potential exploitation related to this vulnerability, please follow these recommendations:
- Update the Plugin: Users of the GiveWP Plugin are strongly advised to update to the latest available version (at least 2.33.1). This vulnerability has been fixed in version 2.33.1.
- Stay Informed: Informed about official updates or advisories related to the GiveWP Plugin. Timely updates and heightened awareness are pivotal for preserving the website’s security.