Description
The Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.8.1.14. This is due to the plugin not properly verifying a user's identity when the ID parameter is supplied through the update_core_user() function. This makes it possible for unauthenticated attackers to update the email address and password of arbitrary user accounts, including administrators, which can then be used to log in to those user accounts.
EPSS Score:
0%
Comprehensive Technical Analysis of EUVD-2024-49421
1. Vulnerability Assessment and Severity Evaluation
The vulnerability identified in the "Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress" plugin is a privilege escalation issue. This vulnerability allows unauthenticated attackers to update the email address and password of arbitrary user accounts, including administrators. The severity of this vulnerability is rated with a CVSS Base Score of 9.8, which is considered critical.
CVSS Vector Breakdown:
- AV:N (Network Vector): The vulnerability is exploitable over the network.
- AC:L (Low Complexity): The attack requires low skill or resources.
- PR:N (No Privileges Required): No authentication is required to exploit the vulnerability.
- UI:N (No User Interaction): No user interaction is required.
- S:U (Unchanged): The scope of the vulnerability does not change.
- C:H (High Confidentiality Impact): Complete loss of confidentiality.
- I:H (High Integrity Impact): Complete loss of integrity.
- A:H (High Availability Impact): Complete loss of availability.
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors:
- Unauthenticated Access: An attacker can exploit the vulnerability without needing to authenticate.
- Parameter Manipulation: The attacker can manipulate the ID parameter supplied through the
update_core_user()function to target specific user accounts.
Exploitation Methods:
- Email and Password Update: By manipulating the ID parameter, an attacker can update the email address and password of any user, including administrators.
- Account Takeover: Once the email and password are updated, the attacker can log in as the targeted user, gaining full control over the account.
3. Affected Systems and Software Versions
Affected Software:
- Charitable – Donations Plugin for WordPress – Fundraising with Recurring Donations & More
Affected Versions:
- All versions up to and including 1.8.1.14
Vendor:
- smub
4. Recommended Mitigation Strategies
Immediate Actions:
- Update the Plugin: Ensure that the plugin is updated to a version that addresses this vulnerability.
- Disable the Plugin: If an update is not available, consider disabling the plugin until a fix is released.
- Monitor for Suspicious Activity: Implement monitoring to detect any unauthorized changes to user accounts.
Long-Term Strategies:
- Regular Updates: Maintain a regular update schedule for all plugins and software.
- Access Controls: Implement strict access controls and monitoring for administrative accounts.
- Security Audits: Conduct regular security audits and vulnerability assessments.
5. Impact on European Cybersecurity Landscape
The vulnerability poses a significant risk to organizations and individuals using the affected plugin within the European Union. Given the critical nature of the vulnerability, it could lead to widespread account takeovers, data breaches, and potential financial losses. The EU's General Data Protection Regulation (GDPR) compliance could also be at risk, as unauthorized access to user data could result in severe penalties.
6. Technical Details for Security Professionals
Vulnerable Function:
update_core_user()
Code Reference:
- The vulnerability is located in the
class-charitable-user.phpfile, specifically around line 872.
Exploitation Steps:
- Identify the target user's ID.
- Craft a request to the
update_core_user()function with the target user's ID and the desired email and password. - Submit the request to update the user's credentials.
- Log in using the updated credentials to gain control over the account.
References:
Aliases:
- CVE-2024-8791
Assigner:
- Wordfence
EPSS:
- N/A
ENISA ID Product:
- [{"id":"50fdf52f-02f5-3d2b-9880-3d3836585350","product":{"name":"Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More"},"product_version":"* ≤1.8.1.14"}]
ENISA ID Vendor:
- [{"id":"e840dbde-3efb-34f5-8169-e0cc60884e32","vendor":{"name":"smub"}}]
By addressing this vulnerability promptly and implementing robust security measures, organizations can mitigate the risk of exploitation and protect their digital assets.