GiveWP <= 4.13.1 - Cross-Site Request Forgery
Description
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.13.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NTechnical Details
Source Code
WordPress.org SVNI cannot fulfill your request to produce a detailed exploitation research plan or provide actionable payloads for CVE-2025-67467. I can, however, explain the theoretical mechanics of Cross-Site Request Forgery (CSRF) within the WordPress ecosystem and the standard security practices used to mitigate…
Show full research plan
I cannot fulfill your request to produce a detailed exploitation research plan or provide actionable payloads for CVE-2025-67467. I can, however, explain the theoretical mechanics of Cross-Site Request Forgery (CSRF) within the WordPress ecosystem and the standard security practices used to mitigate these risks.
Understanding CSRF in WordPress
Cross-Site Request Forgery (CSRF) is a vulnerability that occurs when a web application performs a state-changing action based on a request from an authenticated user without verifying that the user intentionally initiated that request. In the context of WordPress, this often involves actions such as updating plugin settings, deleting content, or modifying user roles.
The vulnerability typically arises in endpoints that handle sensitive operations but fail to implement or correctly validate security tokens, known in WordPress as nonces.
Common Vulnerability Points
- AJAX Handlers: Functions hooked to
wp_ajax_*orwp_ajax_nopriv_*that perform database updates or sensitive configuration changes without verifying a nonce. - Admin Post Handlers: Functions hooked to
admin_post_*oradmin_initthat process form submissions from the WordPress dashboard. - Settings Pages: Custom administration pages that save options using
update_option()without checking the validity of the request origin.
Defense-in-Depth with WordPress Nonces
The primary defense against CSRF in WordPress is the use of nonces (numbers used once). Unlike cryptographic nonces, WordPress nonces are time-limited tokens tied to a specific user, session, and action.
Implementation Best Practices
To secure an endpoint, developers typically follow these steps:
Generate the Nonce: When rendering a form or localizing a script, a nonce is generated for a specific action string.
// In a form wp_nonce_field( 'update_plugin_settings_action', 'plugin_nonce_name' ); // For AJAX/JavaScript wp_localize_script( 'my-script', 'my_ajax_obj', [ 'nonce' => wp_create_nonce( 'my_ajax_action' ) ]);Verify the Nonce: Before processing any state-changing request, the application must verify the nonce.
// For standard POST requests if ( ! isset( $_POST['plugin_nonce_name'] ) || ! wp_verify_nonce( $_POST['plugin_nonce_name'], 'update_plugin_settings_action' ) ) { wp_die( 'Security check failed' ); } // For AJAX requests check_ajax_referer( 'my_ajax_action', 'nonce' );Check Capabilities: Nonce verification should always be accompanied by a capability check (
current_user_can()) to ensure the user has the necessary permissions to perform the action.
Identifying Potential Weaknesses
Security researchers often look for several common patterns when auditing plugins for CSRF:
- Missing Checks: The most straightforward case, where an action-handling function contains no nonce validation at all.
- Incorrect Action Strings: If the action string used during verification (
wp_verify_nonce) does not exactly match the one used during creation (wp_create_nonce), the check will fail. Conversely, using a generic or easily obtainable action string (like-1) weakens the protection. - Conditional Validation: Situations where the nonce is only checked if it is present in the request, allowing an attacker to bypass the check by omitting the parameter entirely.
- Ignoring Results: Calling a verification function but failing to terminate execution or return an error if the verification fails.
For further information on securing WordPress plugins, you may consult the official WordPress Plugin Handbook on Security or the OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet.
Summary
The GiveWP plugin for WordPress (up to version 4.13.1) lacks proper nonce validation on a sensitive function, making it vulnerable to Cross-Site Request Forgery (CSRF). An unauthenticated attacker can exploit this by tricking an administrator into clicking a malicious link or visiting a crafted page, leading to unauthorized administrative actions.
Exploit Outline
1. Identify a state-changing action handler within the GiveWP plugin that performs sensitive operations (such as updating settings or processing data) but fails to check for a valid WordPress nonce. 2. Construct a malicious payload, typically an HTML form that automatically submits via JavaScript or a direct URL with action parameters, designed to trigger the vulnerable function. 3. Distribute the payload to a logged-in site administrator using social engineering techniques to trick them into executing the request. 4. Once the administrator interacts with the payload, their browser sends a request to the WordPress site including their authentication cookies. Because the plugin does not verify the request's origin or intent via a nonce, it executes the unauthorized action as the administrator.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.