CVE-2024-5940 – The GiveWP WordPress plugin has an authorizatio... (How to Fix)

Q: What is the severity of CVE-2024-5940?

CVE-2024-5940 has a CVSS score of 6.5 (MEDIUM). The GiveWP WordPress plugin has an authorization bypass vulnerability that allows unauthenticated attackers to modify event ticket settings when the Events beta feature is enabled. This affects all WordPress sites running GiveWP version 3.13.0 or earlier with the Events feature active.

📋 TL;DR

The GiveWP WordPress plugin has an authorization bypass vulnerability that allows unauthenticated attackers to modify event ticket settings when the Events beta feature is enabled. This affects all WordPress sites running GiveWP version 3.13.0 or earlier with the Events feature active.

💻 Affected Systems

Products:

GiveWP - Donation Plugin and Fundraising Platform for WordPress

Versions: All versions up to and including 3.13.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when Events beta feature is enabled. Standard donation functionality without Events feature is not affected.

📦 What is this software?

Givewp by Givewp

View all CVEs affecting Givewp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could manipulate ticket pricing, availability, or event details to disrupt fundraising campaigns, cause financial loss, or damage organizational reputation.

🟠

Likely Case

Unauthorized changes to ticket settings leading to confusion, incorrect pricing, or disruption of fundraising events.

🟢

If Mitigated

Limited impact if Events beta feature is disabled or proper access controls are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request to vulnerable endpoints can trigger the vulnerability. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.13.1

Vendor Advisory: https://wordpress.org/plugins/give/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find GiveWP and click 'Update Now'. 4. Verify version is 3.13.1 or later.

🔧 Temporary Workarounds

Disable Events Beta Feature

all

Temporarily disable the Events feature until patching is complete

Navigate to GiveWP settings > Advanced > Features and disable 'Events'

🧯 If You Can't Patch

Disable the Events beta feature immediately
Implement web application firewall rules to block requests to /wp-json/give/v3/event-tickets/* endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for GiveWP version. If version is 3.13.0 or earlier and Events feature is enabled, system is vulnerable.

Check Version:

wp plugin list --name=give --field=version

Verify Fix Applied:

Verify GiveWP version is 3.13.1 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

POST requests to /wp-json/give/v3/event-tickets/* endpoints from unauthenticated users
Unauthorized modifications to event ticket settings in GiveWP logs

Network Indicators:

HTTP requests to vulnerable REST API endpoints without authentication headers

SIEM Query:

source="web_server" AND (uri_path="/wp-json/give/v3/event-tickets" OR uri_path CONTAINS "/event-tickets/") AND http_method="POST" AND user_agent!="WordPress/*"

📊 Metadata

CVE ID: CVE-2024-5940

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE: CWE-862

Published: August 20, 2024

Last Updated: August 26, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5940, you might also want to check these: