Fortinet Discovers WordPress Give SQL Injection Vulnerability
Fortinet's FortiGuard Labs has discovered a SQL injection vulnerability in Impress GiveWP Give plugin for WordPress.
Give is the highest rated, most downloaded, and best supported donation plugin for WordPress. Built from the ground up for all fundraising needs, Give provides a powerful donation platform optimized for online giving.
A SQL injection vulnerability exists in the Impress GiveWP Give plugin through 2.5.0 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via includes/payments/class-payments-query.php or includes/donors/class-give-donors-query.php
SolutionsFortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:
Users should apply the solution provided by Impress
Fortinet reported the vulnerability on 11 July, 2019
Give replied the team is investigating the report on 11 July, 2019
Give confirmed the vulnerability and released patch on 13 July, 2019. Give Team asked for a disclosure as near to 11 August as possible to give users as much time as possible to upgrade.
This vulnerability was discovered by Tin Duong of Fortinet's FortiGuard Labs.