During source code review, I noticed a XSS vulnerability in the 2.9.7 version of the GiveWP WordPress plugin. It appears to have been vulnerable since 2.4.0. It has been fixed in 2.10.0.

Proof of Concept

http://localhost/wp-admin/edit.php?s=%22%3E<script>alert(0)</script>&start-date&end-date&form_id=0&action=-1&paged=1&give_action=delete_bulk_donor&orderby=id&order=DESC&action2=-1&post_type=give_forms&page=give-donors&view=donors

Impact

As of this writing, GiveWP is installed on 100,000+ WP instances. This vulnerability has been present since at least 2.4.0 (Jan 16th 2019). It may have been present earlier in another form. This vulnerability requires user interaction from an admin in order to be exploited.

Resolution

Install GiveWP 2.10.0 to remediate this issue. After I notified GiveWP, they released a fix the same day, around 8 hours later.

Analysis

In class-donor-table.php, we can see the source of the vulnerable parameter does not have any form of sanitation applied: GiveWP source

We can identify in the sink that the above source is called directly. No sanitation is applied before the sink: GiveWP sink

We can identify that the sink is later included in donors.php. This page is visible to administrators at /wp-admin/edit.php?post_type=give_forms&page=give-donors: GiveWP donors.php

To confirm the vulnerability, a request was crafted in Burp Suite: (payload highlighted) Burp request

We can then see the payload reflected in the response: Burp response

Testing Setup

  • GiveWP 2.9.7
  • WordPress 5.7
  • XAMPP 7.4.16
  • Firefox 86.0.1
  • Default configurations on all products

Disclosure Log

3/21/2021 -- Emailed GiveWP for security contact information
3/22/2021 -- WPScan CNA issued CVE-2021-24213 (un-released)
3/22/2021 9AM -- Provided vendor with PoC
3/22/2021 5PM -- Vendor provided fix in 2.10.0
3/23/2021 8AM -- Fix validated, article posted, CVE unlocked