CVE-2024-3714 in GiveWP Plugin
Summary
by MITRE • 05/18/2024
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'give_form' shortcode when used with a legacy form in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/29/2025
The vulnerability identified as CVE-2024-3714 affects the GiveWP donation plugin for WordPress, a widely used fundraising platform that enables organizations to collect donations through customizable forms. This particular flaw resides within the plugin's 'give_form' shortcode functionality when processing legacy forms, representing a critical security weakness that has persisted across all versions up to and including 3.10.0. The vulnerability classifies as a stored cross-site scripting issue that exploits insufficient input sanitization and output escaping mechanisms, creating a persistent threat vector that can compromise user sessions and execute malicious code in the context of affected websites.
The technical implementation of this vulnerability stems from the plugin's failure to properly validate and sanitize user-supplied attributes when processing the 'give_form' shortcode. When authenticated users with contributor-level privileges or higher submit malicious input through form attributes, the system fails to adequately escape or filter this data before rendering it in the output. This oversight allows attackers to inject malicious JavaScript code that gets stored within the plugin's data structures and subsequently executed whenever legitimate users view pages containing the compromised shortcode. The vulnerability specifically impacts legacy forms, suggesting that newer form implementations may have received adequate protections, though this remains a critical concern for existing installations.
The operational impact of CVE-2024-3714 extends beyond simple script execution, as it enables attackers to leverage the compromised WordPress environment for more sophisticated attacks. Authenticated attackers with contributor-level access can inject scripts that potentially steal user credentials, modify donation records, or redirect users to malicious domains. This vulnerability particularly affects organizations relying on GiveWP for fundraising activities, as compromised donation forms could lead to financial fraud, data theft, and reputational damage. The attack vector requires minimal privileges, making it accessible to users who should normally have limited administrative capabilities, thereby undermining the principle of least privilege in WordPress security models.
Organizations should immediately implement mitigations including updating to the latest available version of the GiveWP plugin where the vulnerability has been addressed, applying the recommended security patches, and conducting comprehensive audits of existing forms to identify any potential malicious injections. The vulnerability aligns with CWE-79, which describes cross-site scripting flaws, and demonstrates characteristics consistent with ATT&CK technique T1566.001 for initial access through malicious content. Administrators should also consider implementing additional security measures such as content security policies, input validation at multiple layers, and regular security scanning of plugin installations to prevent similar vulnerabilities from being exploited in other components of their WordPress environments.