CVE-2024-35679 – This CVE describes a reflected cross-site scrip... (How to Fix)

Q: What is the severity of CVE-2024-35679?

CVE-2024-35679 has a CVSS score of 7.1 (HIGH). This CVE describes a reflected cross-site scripting (XSS) vulnerability in the GiveWP WordPress plugin. Attackers can inject malicious scripts via crafted URLs that execute when victims visit those links. All WordPress sites using GiveWP versions up to 3.12.0 are affected.

📋 TL;DR

This CVE describes a reflected cross-site scripting (XSS) vulnerability in the GiveWP WordPress plugin. Attackers can inject malicious scripts via crafted URLs that execute when victims visit those links. All WordPress sites using GiveWP versions up to 3.12.0 are affected.

💻 Affected Systems

Products:

GiveWP WordPress Plugin

Versions: n/a through 3.12.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with GiveWP plugin enabled are vulnerable regardless of configuration.

📦 What is this software?

Givewp by Givewp

View all CVEs affecting Givewp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform actions as authenticated users, deface websites, or redirect users to malicious sites.

🟠

Likely Case

Attackers craft phishing emails with malicious links that execute scripts in victims' browsers, potentially stealing session tokens or performing limited unauthorized actions.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be neutralized before execution, preventing successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Reflected XSS vulnerabilities are commonly exploited via phishing campaigns. The vulnerability requires user interaction (clicking a malicious link).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.12.1 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/give/wordpress-givewp-plugin-3-12-0-reflected-cross-site-scripting-xss-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find GiveWP and click 'Update Now'. 4. Verify version is 3.12.1 or higher.

🔧 Temporary Workarounds

Disable GiveWP Plugin

all

Temporarily disable the vulnerable plugin until patching is possible.

wp plugin deactivate give

Implement WAF Rules

all

Configure web application firewall to block XSS payloads targeting GiveWP endpoints.

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution
Use browser security extensions that block reflected XSS attacks

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins → GiveWP version. If version is 3.12.0 or earlier, you are vulnerable.

Check Version:

wp plugin get give --field=version

Verify Fix Applied:

After updating, verify GiveWP version shows 3.12.1 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual GET requests with script tags or JavaScript in query parameters to GiveWP endpoints
Multiple failed XSS attempts in web server logs

Network Indicators:

HTTP requests containing <script> tags or JavaScript in URL parameters
Traffic patterns showing users being redirected after visiting GiveWP URLs

SIEM Query:

source="web_server_logs" AND (uri="*give*" AND (query="*<script>*" OR query="*javascript:*" OR query="*onload=*"))

📊 Metadata

CVE ID: CVE-2024-35679

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

Published: June 8, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35679, you might also want to check these: