Charitable Donation Plugin for WordPress

A Philanthropist's Dream or A Hacker's Playground?

Cory Marsh

Published on Saturday September 23, 2023

Cory Marsh has over 20 years Internet security experience. He is a lead developer on the BitFire project and regularly releases PHP security and programming videos on BitFire's you tube channel.

Privilege Escalation Unauthenticated Exploit Code Available

Security vulnerabilities come in all shapes and sizes, much like the entities they compromise. Today, I want to discuss a rather unsettling discovery—a significant security flaw in the Donation Forms by Charitable plugin for WordPress.

View CVE Report: CVE-2023-XXXX

View On WordPress.org: charitable

View On Trac: plugins.trac.wordpress.org

Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress

"With Charitable, you can create fundraising campaigns in minutes, whether you need a donation form for your regular ongoing donations, you’re raising money for a time-sensitive need, or you are collecting donations for a specific fundraising goal."
-- charitable

Intuitive Interface
Mobile-Friendly and Responsive
Field Types

If you are going to create a user account for someone, it's best to not ask them if they want to be an Admin

BitFire's 0-day protection of CVE-2023-XXXX vulnerability

A Deceptively Simple Oversight

Charitable is one of the top-rated WordPress donation plugins, boasting a myriad of 5-star reviews and being employed on around 10,000 websites. It provides a seamless interface for creating fundraising campaigns. That is, of course, unless you count the glaring vulnerability in versions up to, and including, 1.7.0.12 that lets unauthenticated users escalate their privileges.

Dissecting the Security Flaw

The issue at hand involves insufficient restrictions around the update_core_user function. This security misstep enables an unauthenticated attacker to specify their user role during registration. So what does this mean? It means they can set themselves as a site administrator by merely providing the 'role' parameter.

The Real-World Implications

Sure, this might sound like a slightly abstract concept until you think about the real-world implications. Imagine a scenario where an attacker gains administrator privileges on a platform that handles financial transactions. Alarming, isn’t it?

How Bad is It?

In terms of severity, this flaw can potentially give an attacker the keys to the entire kingdom, so to speak. Since Charitable is explicitly designed to facilitate financial transactions, the consequences could be disastrous—both financially and reputationally.

Immediate Action Required

If you are using this plugin, update it. Now. If you've customized the code, ensure your modifications don't compromise security. Make sure to install a RASP based firewall which can mitigate and prevent this type of attack from being exploited. While security isn't a 'feature' in traditional marketing lingo, I'd argue it's the most important one, especially in the realm of financial transactions.

Removed Code

/includes/users/class-charitable-user.php


<?php

public function update_profile( $submitted = array(), $keys = array() ) {
  if ( empty( $submitted ) ) {
    $submitted = $_POST;
  }

  if ( empty( $keys ) ) {
    $keys = array_keys( $submitted );
  }

  $user_id = $this->update_core_user( $submitted );
}

Replaced Code


get_core_keys() );
  ...

  /* If we're updating an active user, set the ID */
  if ( 0 !== $this->ID ) {
    $values['ID'] = $this->ID;
  }

  foreach ( $core_fields as $field ) {
    if ($field === 'role') { continue; }
    $values[ $field ] = $submitted[ $field ];
  }