CVE-2022-2215 in GiveWP Plugin
Summary
by MITRE • 08/01/2022
The GiveWP WordPress plugin before 2.21.3 does not properly sanitise and escape the currency settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 08/29/2022
The vulnerability identified as CVE-2022-2215 affects the GiveWP WordPress plugin version 2.21.2 and earlier, representing a critical stored cross-site scripting weakness that undermines web application security. This flaw specifically targets the plugin's currency settings handling mechanism, where insufficient sanitization and escaping of user input creates an exploitable vector for malicious code injection. The vulnerability manifests when high-privilege users with administrative capabilities attempt to manipulate currency configuration parameters within the plugin's settings interface.
The technical implementation of this vulnerability stems from inadequate input validation and output escaping practices within the GiveWP plugin codebase. When administrators modify currency settings, the plugin fails to properly sanitize the data before storing it in the database or rendering it in subsequent user interfaces. This insufficient sanitization process creates a persistent XSS attack surface where malicious scripts can be stored and executed whenever the affected settings are displayed to authenticated users. The vulnerability is particularly concerning in multisite WordPress environments where the unfiltered_html capability is restricted, as this limitation typically serves as a security boundary to prevent arbitrary HTML injection.
The operational impact of CVE-2022-2215 extends beyond simple script execution, potentially enabling attackers to perform session hijacking, data exfiltration, and privilege escalation within the compromised WordPress environment. High-privilege users such as administrators become primary targets since they possess the necessary permissions to modify currency settings and execute malicious payloads. The stored nature of this vulnerability means that once exploited, the malicious code persists until manually removed from the database, creating a long-term security risk. Attackers could leverage this weakness to establish persistent backdoors, steal administrative credentials, or manipulate donation processing functionality to redirect funds to attacker-controlled accounts.
Security professionals should note this vulnerability aligns with CWE-79 (Cross-site Scripting) and follows ATT&CK techniques related to credential access and persistence. The issue demonstrates poor input validation practices that violate fundamental web application security principles and could be exploited in conjunction with other vulnerabilities to escalate attacks. Organizations using GiveWP plugin versions prior to 2.21.3 should immediately implement remediation measures including plugin updates, input validation hardening, and monitoring for suspicious administrative activities. Additional mitigations should include restricting administrative privileges to essential personnel only, implementing web application firewalls, and conducting regular security audits of WordPress plugin configurations to prevent similar vulnerabilities from emerging in other components of the web application stack.