Main Vulnerability Database Vulnerabilities #VU21392

Improper Authentication in Give - Donation Plugin and Fundraising Platform - #VU21392

Published: September 27, 2019

Vulnerability identifier: #VU21392

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

CVE-ID: N/A

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: GiveWP

Affected software:
Give - Donation Plugin and Fundraising Platform

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in the "get_user()" parameter when it does a check based on the API key that was provided, but doesn’t verify if the key was one generated by the Give API, but rather just fetches the "user_id" for any meta key in the "wp_usermeta" table. A remote attacker can bypass authentication process and gain unauthorized access to personally identifiable user information (PII), such as names, addresses, IP addresses, and email addresses.

Remediation

Install updates from vendor's website.

Sources

https://www.wordfence.com/blog/2019/09/authentication-bypass-vulnerability-in-givewp-plugin/

Improper Authentication in Give - Donation Plugin and Fundraising Platform - #VU21392

Detailed vulnerability description

Remediation

Sources

Please verify you're human