Critical Privilege Escalation Vulnerability in Charitable WordPress Plugin Affects Over 10,000 sites
On August 10, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a Privilege Escalation vulnerability in the Donation Forms by Charitable plugin, which is actively installed on more than 10,000 WordPress websites. This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by supplying a role during a registration.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on August 10, 2023. Sites still using the free version of Wordfence will receive the same protection on September 9, 2023.
We contacted WP Charitable Team via email on August 10, 2023, but we didn’t get a response. Next, we tried to contact them via a contact form on their site on August 16, 2023, and we received a response on the same day. After providing full disclosure details, the developer released a patch on August 17, 2023. We would like to commend the WP Charitable Team for their prompt response and timely patch, which was released in just one day.
We urge users to update their sites with the latest patched version of Charitable, which is version 1.7.0.13 at the time of this writing, as soon as possible.
As with any Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.
Vulnerability Summary from Wordfence Intelligence
Description: Donation Forms by Charitable sanitize_display_name( $values );
if ( $display_name ) {
$values[‘display_name’]=$display_name;
}
/* Insert the user */
if ( 0==$this->ID ) {
if ( ! isset( $values[‘user_pass’] ) || strlen( $values[‘user_pass’] )==0 ) {
charitable_get_notices()->add_error( ‘ERROR: Password field is required.’ );
return false;
}
if ( ! isset( $values[‘user_login’] ) ) {
$values[‘user_login’]=$values[‘user_email’];
}
/**
* `wp_insert_user` calls `sanitize_user` internally – make the
* same call here so `$values[‘user_login’]` matches what is
* eventually saved to the database
*/
$values[‘user_login’]=sanitize_user( $values[‘user_login’], true );
$user_id=wp_insert_user( $values );
if ( is_wp_error( $user_id ) ) {
charitable_get_notices()->add_errors_from_wp_error( $user_id );
return false;
}
$this->init( self::get_data_by( ‘id’, $user_id ) );
$signon=Charitable_User::signon( $values[‘user_login’], $values[‘user_pass’] );
if ( is_wp_error( $signon ) ) {
charitable_get_notices()->add_errors_from_wp_error( $signon );
return false;
}
/**
* Do something after a user has been registered.
*
* @since 1.0.0
*
* @param int $user_id The new user’s ID.
* @param array $values Values submitted to register user.
*/
do_action( ‘charitable_after_insert_user’, $user_id, $values );
} else {
$values[‘ID’]=$this->ID;
$user_id =wp_update_user( $values );
}//end if
/* If there was an error when inserting or updating the user, lodge the error. */
if ( is_wp_error( $user_id ) ) {
charitable_get_notices()->add_errors_from_wp_error( $user_id );
return false;
}
/**
* Do something after a user’s account has been updated or created.
*
* @since 1.0.0
*
* @param int $user_id The user’s ID.
* @param array $values Values submitted to save user.
*/
do_action( ‘charitable_after_save_user’, $user_id, $values );
return $user_id;
}
The update_core_user method in the Charitable_User class
As with any Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.
Disclosure Timeline
August 10, 2023 – Discovery of the Privilege Escalation vulnerability in Charitable.
August 10, 2023 – We tried to initiate contact with the plugin vendor via email asking that they confirm the inbox for handling the discussion.
August 10, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.
August 16, 2023 – Since we didn’t get a response to the email contact, we tried to contact the plugin vendor via contact form asking that they confirm the inbox for handling the discussion.
August 16, 2023 – The vendor confirms the inbox for handling the discussion.
August 16, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
August 17, 2023 – A fully patched version of the plugin, 1.7.0.13, is released.
September 9, 2023 – Wordfence Free users receive the same protection.
Conclusion
In this blog post, we detailed a Privilege Escalation vulnerability within the Donation Forms by Charitable plugin affecting versions 1.7.0.12 and earlier. This vulnerability allows unauthenticated threat actors to elevate their privileges to those of a site administrator which could ultimately lead to complete site compromise. The vulnerability has been fully addressed in version 1.7.0.13 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of Charitable.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on August 10, 2023. Sites still using the free version of Wordfence will receive the same protection on September 9, 2023.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.
Source: wordfence.com