During source code review, I noticed a XSS vulnerability in the 2.9.7 version of the GiveWP WordPress plugin. It appears to have been vulnerable since 2.4.0. It has been fixed in 2.10.0.
Proof of Concept
As of this writing, GiveWP is installed on 100,000+ WP instances. This vulnerability has been present since at least 2.4.0 (Jan 16th 2019). It may have been present earlier in another form. This vulnerability requires user interaction from an admin in order to be exploited.
Install GiveWP 2.10.0 to remediate this issue. After I notified GiveWP, they released a fix the same day, around 8 hours later.
class-donor-table.php, we can see the source of the vulnerable parameter does not have any form of sanitation applied:
We can identify in the sink that the above source is called directly. No sanitation is applied before the sink:
We can identify that the sink is later included in
donors.php. This page is visible to administrators at
To confirm the vulnerability, a request was crafted in Burp Suite: (payload highlighted)
We can then see the payload reflected in the response:
- GiveWP 2.9.7
- WordPress 5.7
- XAMPP 7.4.16
- Firefox 86.0.1
- Default configurations on all products
3/21/2021 -- Emailed GiveWP for security contact information 3/22/2021 -- WPScan CNA issued CVE-2021-24213 (un-released) 3/22/2021 9AM -- Provided vendor with PoC 3/22/2021 5PM -- Vendor provided fix in 2.10.0 3/23/2021 8AM -- Fix validated, article posted, CVE unlocked