CVE-2023-4404 – The Donation Forms by Charitable WordPress plug... (How to Fix)

📋 TL;DR

The Donation Forms by Charitable WordPress plugin allows unauthenticated attackers to escalate privileges by specifying their user role during registration. This vulnerability affects all WordPress sites using Charitable plugin versions up to 1.7.0.12, enabling attackers to gain administrative access without authentication.

💻 Affected Systems

Products:

Donation Forms by Charitable WordPress plugin

Versions: Up to and including 1.7.0.12

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with vulnerable Charitable plugin versions are affected regardless of configuration.

📦 What is this software?

Charitable by Wpcharitable

View all CVEs affecting Charitable →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full administrative control over WordPress sites, allowing them to install backdoors, steal data, deface websites, or use the site for further attacks.

🟠

Likely Case

Attackers create administrator accounts and take control of vulnerable WordPress installations, often leading to malware injection, data theft, or site takeover.

🟢

If Mitigated

With proper web application firewalls and monitoring, exploitation attempts are blocked and detected before successful compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP POST requests with the 'role' parameter set to administrator or other privileged roles.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.0.13 and later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2976818/charitable/trunk/includes/users/class-charitable-user.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Donation Forms by Charitable'
4. Click 'Update Now' or manually update to version 1.7.0.13+
5. Verify update completes successfully

🔧 Temporary Workarounds

Disable Charitable Plugin

linux

Temporarily disable the vulnerable plugin until patching is possible

wp plugin deactivate charitable

Web Application Firewall Rule

all

Block requests containing the 'role' parameter in registration endpoints

🧯 If You Can't Patch

Disable user registration functionality in WordPress settings
Implement IP-based access restrictions to registration endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for Charitable version ≤1.7.0.12

Check Version:

wp plugin get charitable --field=version

Verify Fix Applied:

Verify Charitable plugin version is 1.7.0.13 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /wp-admin/admin-ajax.php with 'action=charitable_update_core_user' and 'role' parameter
Unusual user registration events with administrator roles
Multiple failed login attempts followed by successful registration

Network Indicators:

POST requests containing 'role=administrator' or similar privileged roles
Traffic to registration endpoints from suspicious IPs

SIEM Query:

source="web_logs" AND (uri_path="/wp-admin/admin-ajax.php" AND method="POST" AND params CONTAINS "role=" AND params CONTAINS "charitable_update_core_user")

📊 Metadata

CVE ID: CVE-2023-4404

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: August 23, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-4404, you might also want to check these: