Payment Gateway Pix For GiveWP <= 2.2.3 - Missing Authorization
Description
The Payment Gateway Pix For GiveWP plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.2.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=2.2.3What Changed in the Fix
Changes introduced in v2.2.4
Source Code
WordPress.org SVN# Vulnerability Analysis Report: CVE-2026-32425 ## 1. Vulnerability Summary The **Payment Gateway Pix For GiveWP** plugin (versions <= 2.2.3) contains a missing authorization vulnerability within its administrative AJAX handlers. Specifically, functions designed for administrative tasks (such as sa…
Show full research plan
Vulnerability Analysis Report: CVE-2026-32425
1. Vulnerability Summary
The Payment Gateway Pix For GiveWP plugin (versions <= 2.2.3) contains a missing authorization vulnerability within its administrative AJAX handlers. Specifically, functions designed for administrative tasks (such as saving plugin settings or dismissing notifications) are registered without appropriate capability checks (e.g., current_user_can( 'manage_give_settings' )). This allows unauthenticated attackers to trigger these actions by sending requests to wp-admin/admin-ajax.php.
2. Attack Vector Analysis
- Endpoint:
wp-admin/admin-ajax.php - Action:
pgpfg_save_settings(inferred from typical Link Nacional plugin patterns) orpgpfg_dismiss_notice. - Authentication: None (Unauthenticated). The vulnerability allows
noprivaccess or fails to check capabilities for authenticated users. - Vulnerable Parameter:
action, along with setting fields likelkn-payment-pix-keyorlkn-payment-pix-environment. - Severity: CVSS 5.3 (Medium). While it allows modifying settings, the "Low" integrity impact suggests it may be limited to settings that do not facilitate a full site takeover but can redirect donation information (Pix keys).
3. Code Flow
- Entry Point: A request is made to
admin-ajax.phpwith `action
Summary
The Payment Gateway Pix For GiveWP plugin for WordPress is vulnerable to unauthorized access and settings modification due to missing capability checks on its administrative AJAX handlers in versions up to 2.2.3. This allows unauthenticated attackers to perform administrative actions, such as dismissing plugin notices or potentially modifying Pix payment configuration settings.
Vulnerable Code
// From Admin/js/pgpfg-admin.js @ 2.2.3 const noticeDiv = document.createElement('div') noticeDiv.className = 'notice notice-info is-dismissible pgpfg-notice' noticeDiv.innerHTML = '<p>' + __('GiveWP Pix: You can receive donations with the help of various payment gateways. Access the settings to configure.', 'payment-gateway-pix-for-givewp') + ' <a href="' + wpApiSettings.root.replace('/wp-json/', '/wp-admin/edit.php?post_type=give_forms&page=give-settings&tab=gateways§ion=lkn-payment-pix') + '">' + __('Settings', 'payment-gateway-pix-for-givewp') + '</a></p>' noticeDiv.querySelector('.notice-dismiss').onclick = function () { jQuery.ajax({ url: ajaxurl, method: 'POST', data: { action: 'pgpfg_dismiss_notice' } }) }
Security Fix
@@ -34,12 +34,6 @@ display: none; } -.PGPFGForGivewpAdminSettingsDiv tr { - /*padding: 10px 14px;*/ - /*margin: auto;*/ - max-width: 850px; -} - .PGPFGForGivewpAdminSettingsDiv td { background-color: #fff; display: flex; @@ -54,13 +48,15 @@ align-items: center; } -.PGPFGForGivewpAdminSettingsDiv td label { +.PGPFGForGivewpAdminSettingsDiv td label, +.PGPFGForGivewpAdminSettingsDiv td div.lkn-pix-subtitle { font-weight: bold; font-size: 16px; margin: 3px 4px; } -.PGPFGForGivewpAdminSettingsDiv td label.lkn-pix-subtitle p { +.PGPFGForGivewpAdminSettingsDiv td label.lkn-pix-subtitle, +.PGPFGForGivewpAdminSettingsDiv td div.lkn-pix-subtitle p { color: rgb(60, 67, 74); font-weight: 400; margin: 0px !important; ... (truncated)
Exploit Outline
An attacker can exploit this vulnerability by sending an unauthenticated POST request to the WordPress AJAX endpoint (`/wp-admin/admin-ajax.php`). By specifying the `action` parameter as `pgpfg_dismiss_notice` or `pgpfg_save_settings`, the attacker can trigger the corresponding PHP callback functions. Since these functions lack `current_user_can()` checks and the hooks may be registered for unauthenticated users (via `wp_ajax_nopriv_`), the attacker can modify plugin state or configuration—such as changing the Pix key to redirect donations—without needing any administrative privileges.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.