Physical Address
Metro Manila, Philippines
Physical Address
Metro Manila, Philippines
Privilege Escalation vulnerability was identified on August 10, 2023 by Wordfence Threat Intelligence team in the Donation Forms by Charitable plugin, which is actively deployed across more than 10,000 WordPress websites. This vulnerability allows unauthorized attackers to gain administrative privileges by manipulating user roles during registration.
Swiftly addressing the threat, a firewall rule was immediately issued to Wordfence Premium, Wordfence Care, and Wordfence Response users on August 10, 2023. These measures offer protection against potential exploitation of the vulnerability. Users who rely on the free version of Wordfence will also receive this safeguarding feature, set to be implemented on September 9, 2023.
Initial attempts to contact the WP Charitable Team via email on August 10, 2023, did not yield a response. Subsequently, communication was established through a contact form on their website on August 16, 2023, with a response received on the same day. After comprehensive disclosure, the developer expedited a patch release on August 17, 2023.
Users are strongly advised to promptly update their websites to the latest patched version of Charitable, currently version 1.7.0.13.
The implications of this Privilege Escalation vulnerability are significant. Once an attacker gains administrative user access to a WordPress site, they acquire the authority to manipulate all aspects of the targeted site, similar to a regular administrator. This includes potentially malicious activities such as uploading plugin and theme files containing backdoors, as well as altering content to redirect users to harmful sites.
The Charitable plugin for WordPress, encompassing versions up to and including 1.7.0.12, exposes itself to privilege escalation. This is due to an inadequate restriction on the ‘update_core_user’ function. This flaw enables unauthenticated attackers to specify their user role by providing the ‘role’ parameter during the registration process.
Charitable, renowned for its facilitation of donation forms and fundraising campaigns within WordPress, includes a shortcode ([charitable_registration]) for custom registration. However, the insecure implementation of the registration functionality enables users to introduce arbitrary parameters during account creation. A lack of a predefined list of user parameters or a banned list of hazardous parameters permits the registration of an administrator user through the ‘role’ parameter, specifying the desired role such as ‘administrator’.
As with other Privilege Escalation vulnerabilities, this flaw could lead to complete site compromise. If an attacker gains administrative user access to a WordPress site, they wield the ability to manipulate all elements. These includes uploading potentially malicious plugin and theme files and altering content to redirect users to malicious sites.
Additionally, the Privilege Escalation vulnerability identified in the Donation Forms by Charitable plugin, affecting versions 1.7.0.12 and earlier. This vulnerability enables unauthenticated threat actors to elevate their privileges to administrator status, potentially leading to complete site compromise. The vulnerability has been effectively addressed in version 1.7.0.13 of the plugin.
The verification of whether their sites have been updated to the latest patched iteration of Charitable is strongly recommended for WordPress users.
On August 10, 2023, Wordfence Premium, Wordfence Care, and Wordfence Response users were furnished with a firewall rule to counter any attempts to exploit this vulnerability. Users employing the free Wordfence version will receive the same protection by September 9, 2023.
If you are aware of anyone utilizing the Charitable plugin on their site, it is strongly encourage sharing this information. By doing so, you contribute to the collective security of WordPress websites, as this vulnerability poses a significant and immediate threat.
Reference:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/charitable/donation-forms-by-charitable-17012-unauthenticated-privilege-escalation
https://www.wordfence.com/blog/2023/08/critical-privilege-escalation-vulnerability-in-charitable-wordpress-plugin-affects-over-10000-sites/