A new Authentication Bypass Vulnerability present in the GiveWP WordPress plugin has been discovered by the WordFence Threat Intelligence team. The Plugin is installed on over 70,000 websites. The weakness allowed unauthenticated users to bypass API authentication methods and potentially access personally identifiable user information (PII) like names, addresses, IP addresses, and email addresses which should not be publicly accessible.
This is considered a high security issue, and websites running Give 2.5.4 or below should be updated to version 2.5.5 or later right away. The security firm privately disclosed the issue to the plugin’s developer on September 3rd, who were quick to respond and released a patch shortly after.
Vulnerability In Detail
GiveWP provides users with an API functionality in order to integrate donation data into webpages and applications like Zapier. Site owners are able to generate a unique API key along with a token and private key that can be used to access restricted endpoints and gain access to donation data. However, it turned out that if no API key was generated, any user was able to access restricted endpoints by simply selecting any meta key from the
wp_usermeta table and setting that as the authentication key. For instance, the
session_tokens meta key (which are defined for all users) could have been supplied instead of a valid API key. There is also an authentication token that is used to validate this API request, however, for users that have not generated an API key, the authentication token is simply just the MD5 hash of the meta key that is used in place of a valid API key.
In today’s post, Wordfence detailed an authentication bypass flaw present in the GiveWP plugin. This flaw has been patched in version 2.5.5 and we recommend users update to the latest version available.