CVE-2024-13690
📋 TL;DR
The WP Church Donation plugin for WordPress has a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts into donation forms. When users view pages containing these injected forms, the scripts execute in their browsers. All WordPress sites using this plugin up to version 1.7 are affected.
💻 Affected Systems
- WP Church Donation WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, redirect users to malicious sites, deface websites, or install backdoors leading to complete site compromise.
Likely Case
Attackers inject malicious scripts to steal user session cookies, redirect visitors to phishing sites, or display unwanted advertisements.
If Mitigated
With proper web application firewalls and content security policies, script execution could be blocked, limiting impact to defacement only.
🎯 Exploit Status
Stored XSS vulnerabilities are commonly weaponized; exploitation requires only web form submission.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check WordPress plugin repository for version >1.7
Vendor Advisory: https://wordpress.org/plugins/wp-church-donation/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP Church Donation plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin immediately.
🔧 Temporary Workarounds
Web Application Firewall Rule
allImplement WAF rules to block XSS payloads in donation form parameters
Content Security Policy
allImplement strict CSP headers to prevent script execution from untrusted sources
🧯 If You Can't Patch
- Deactivate and remove the WP Church Donation plugin immediately
- Implement strict input validation and output encoding for all user-submitted donation form data
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for WP Church Donation version ≤1.7Check Version:
wp plugin list --name='wp-church-donation' --field=versionVerify Fix Applied:
Verify plugin version is >1.7 or plugin is completely removed from site📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to donation form endpoints with script tags or JavaScript in parameters
- Multiple failed donation submissions with suspicious payloads
Network Indicators:
- HTTP requests containing <script> tags or JavaScript in donation form parameters
- Unusual outbound connections from site visitors after viewing donation pages
SIEM Query:
source="web_server" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path LIKE "%/wp-content/plugins/wp-church-donation/%") AND (request_body LIKE "%<script%" OR request_body LIKE "%javascript:%")🔗 References
- http://plugins.svn.wordpress.org/wp-church-donation/tags/1.7/includes/church-donation-form-display.php
- http://plugins.svn.wordpress.org/wp-church-donation/tags/1.7/includes/church-donation-listings.php
- https://wordpress.org/plugins/wp-church-donation/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/de8ac20f-d6ae-4e55-9337-4fb5ebd4f24a?source=cve
