Critical Privilege Escalation Vulnerability in Charitable WordPress Plugin Affects Over 10,000 sites

On August 10, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a Privilege Escalation vulnerability in the Donation Forms by Charitable plugin, which is actively installed on more than 10,000 WordPress websites. This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by supplying a role during a registration.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on August 10, 2023. Sites still using the free version of Wordfence will receive the same protection on September 9, 2023.

We contacted WP Charitable Team via email on August 10, 2023, but we didn’t get a response. Next, we tried to contact them via a contact form on their site on August 16, 2023, and we received a response on the same day. After providing full disclosure details, the developer released a patch on August 17, 2023. We would like to commend the WP Charitable Team for their prompt response and timely patch, which was released in just one day.

We urge users to update their sites with the latest patched version of Charitable, which is version 1.7.0.13 at the time of this writing, as soon as possible.

As with any Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.

Vulnerability Summary from Wordfence Intelligence

Description: Donation Forms by Charitable <= 1.7.0.12 – Unauthenticated Privilege Escalation
Affected Plugin: Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress
Plugin Slug: charitable
Affected Versions: <= 1.7.0.12
CVE ID: CVE-2023-4404
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Lana Codes
Fully Patched Version: 1.7.0.13

The Charitable plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.7.0.12 due to insufficient restriction on the ‘update_core_user’ function. This makes it possible for unauthenticated attackers to specify their user role by supplying the ‘role’ parameter during a registration.

Technical Analysis

Charitable is a plugin that makes it possible to create donation forms and fundraising campaigns in WordPress.

The plugin provides a shortcode ([charitable_registration]) for a custom registration form. However, insecure implementation of the plugin’s registration functionality allows users to specify arbitrary parameters when creating an account. Examining the code reveals that there is no predefined list of user parameters, nor a ban list of dangerous parameters. This makes it possible to register an administrator user by supplying the ‘role’ parameter, with the value of the role they would like assigned to their account, such as ‘administrator’.

public function update_core_user( $submitted ) {
	$core_fields = array_intersect( array_keys( $submitted ), $this->get_core_keys() );

	if ( empty( $core_fields ) ) {
		return 0;
	}

	$values = array();

	/* If we're updating an active user, set the ID */
	if ( 0 !== $this->ID ) {
		$values['ID'] = $this->ID;
	}

	foreach ( $core_fields as $field ) {
		$values[ $field ] = $submitted[ $field ];
	}

	/* Set the user's display name based on their name. */
	$display_name = $this->sanitize_display_name( $values );

	if ( $display_name ) {
		$values['display_name'] = $display_name;
	}

	/* Insert the user */
	if ( 0 == $this->ID ) {

		if ( ! isset( $values['user_pass'] ) || strlen( $values['user_pass'] ) == 0 ) {
			charitable_get_notices()->add_error( '<strong>ERROR:</strong> Password field is required.' );
			return false;
		}

		if ( ! isset( $values['user_login'] ) ) {
			$values['user_login'] = $values['user_email'];
		}

		/**
		 * `wp_insert_user` calls `sanitize_user` internally - make the
		 * same call here so `$values['user_login']` matches what is
		 * eventually saved to the database
		 */
		$values['user_login'] = sanitize_user( $values['user_login'], true );

		$user_id = wp_insert_user( $values );

		if ( is_wp_error( $user_id ) ) {
			charitable_get_notices()->add_errors_from_wp_error( $user_id );
			return false;
		}

		$this->init( self::get_data_by( 'id', $user_id ) );

		$signon = Charitable_User::signon( $values['user_login'], $values['user_pass'] );

		if ( is_wp_error( $signon ) ) {
			charitable_get_notices()->add_errors_from_wp_error( $signon );
			return false;
		}

		/**
		 * Do something after a user has been registered.
		 *
		 * @since 1.0.0
		 *
		 * @param int   $user_id The new user's ID.
		 * @param array $values  Values submitted to register user.
		 */
		do_action( 'charitable_after_insert_user', $user_id, $values );

	} else {
		$values['ID'] = $this->ID;
		$user_id      = wp_update_user( $values );
	}//end if

	/* If there was an error when inserting or updating the user, lodge the error. */
	if ( is_wp_error( $user_id ) ) {
		charitable_get_notices()->add_errors_from_wp_error( $user_id );
		return false;
	}

	/**
	 * Do something after a user's account has been updated or created.
	 *
	 * @since 1.0.0
	 *
	 * @param int   $user_id The user's ID.
	 * @param array $values  Values submitted to save user.
	 */
	do_action( 'charitable_after_save_user', $user_id, $values );

	return $user_id;
}

The update_core_user method in the Charitable_User class

Disclosure Timeline

August 10, 2023 – Discovery of the Privilege Escalation vulnerability in Charitable.
August 10, 2023 – We tried to initiate contact with the plugin vendor via email asking that they confirm the inbox for handling the discussion.
August 10, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.
August 16, 2023 – Since we didn’t get a response to the email contact, we tried to contact the plugin vendor via contact form asking that they confirm the inbox for handling the discussion.
August 16, 2023 – The vendor confirms the inbox for handling the discussion.
August 16, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
August 17, 2023 – A fully patched version of the plugin, 1.7.0.13, is released.
September 9, 2023 – Wordfence Free users receive the same protection.

Conclusion

In this blog post, we detailed a Privilege Escalation vulnerability within the Donation Forms by Charitable plugin affecting versions 1.7.0.12 and earlier. This vulnerability allows unauthenticated threat actors to elevate their privileges to those of a site administrator which could ultimately lead to complete site compromise. The vulnerability has been fully addressed in version 1.7.0.13 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of Charitable.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

The post Critical Privilege Escalation Vulnerability in Charitable WordPress Plugin Affects Over 10,000 sites appeared first on Wordfence.