CVE-2024-8791 Overview
CVE-2024-8791 is a critical privilege escalation vulnerability affecting the Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress. This vulnerability exists in all versions up to and including 1.8.1.14 and allows unauthenticated attackers to take over arbitrary user accounts, including administrator accounts, through improper identity verification in the update_core_user() function.
The vulnerability stems from the plugin's failure to properly verify a user's identity when the ID parameter is supplied to the update_core_user() function. This critical flaw enables attackers to modify the email address and password of any user account on the affected WordPress installation without requiring authentication, subsequently allowing them to log in to those compromised accounts.
Critical Impact
Unauthenticated attackers can escalate privileges by modifying administrator account credentials, leading to complete site takeover and unauthorized access to sensitive donation data.
Affected Products
- Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress versions up to and including 1.8.1.14
- wpcharitable charitable WordPress plugin
- WordPress sites running vulnerable Charitable plugin versions
Discovery Timeline
- 2024-09-24 - CVE-2024-8791 published to NVD
- 2024-09-26 - Last updated in NVD database
Technical Details for CVE-2024-8791
Vulnerability Analysis
This privilege escalation vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerable code resides in the class-charitable-user.php file, specifically in the update_core_user() function. The function accepts a user-controlled ID parameter but fails to implement proper authorization checks to verify that the requesting user has permission to modify the specified account.
When processing user update requests, the plugin does not validate whether the authenticated (or unauthenticated) user making the request is the same user whose account is being modified. This allows an attacker to craft malicious requests targeting any user ID on the WordPress installation, including administrator accounts.
The attack is particularly dangerous because it requires no authentication. An attacker can simply supply an arbitrary user ID along with new email and password values to hijack any account on the system.
Root Cause
The root cause of this vulnerability is the absence of proper identity verification within the update_core_user() function. The plugin trusts the user-supplied ID parameter without verifying that the requester has authorization to modify that specific user account. This represents a fundamental authorization bypass where user-controlled input directly influences security decisions without adequate validation.
Attack Vector
The vulnerability is exploited remotely over the network without requiring any authentication or user interaction. An attacker can target the update_core_user() function by supplying a crafted request containing:
- A target user ID (which could be enumerated or guessed, with administrator accounts typically having low ID values like 1)
- A new email address controlled by the attacker
- A new password of the attacker's choosing
Once the request is processed, the victim's account credentials are overwritten with the attacker's values. The attacker can then use the new credentials to log in as the victim, gaining full access to their account and any associated privileges.
For technical details on the vulnerable code path, refer to the WordPress Plugin Code Snippet and the Wordfence Vulnerability Report.
Detection Methods for CVE-2024-8791
Indicators of Compromise
- Unexpected password reset notifications or email change confirmations for administrator accounts
- Login events from unfamiliar IP addresses, especially following unauthorized credential modifications
- Modified user account data in the wp_users database table without corresponding legitimate administrative actions
- Anomalous HTTP POST requests targeting Charitable plugin endpoints with user ID parameters
Detection Strategies
- Monitor WordPress audit logs for unauthorized user profile modifications, particularly changes to administrator email addresses and passwords
- Implement Web Application Firewall (WAF) rules to detect suspicious requests containing user ID manipulation attempts
- Review web server access logs for unusual POST requests to Charitable plugin endpoints
- Deploy integrity monitoring on the wp_users database table to alert on unexpected modifications
Monitoring Recommendations
- Enable WordPress security plugins with real-time login and user modification monitoring
- Configure alerts for any administrator account credential changes
- Implement rate limiting on user update endpoints to slow down potential enumeration attacks
- Establish baseline behavior for user modification patterns and alert on anomalies
How to Mitigate CVE-2024-8791
Immediate Actions Required
- Update the Charitable plugin to a version newer than 1.8.1.14 immediately
- Audit all user accounts, especially administrators, for unauthorized email or password changes
- Force password resets for all administrator accounts if compromise is suspected
- Review recent login activity and revoke any suspicious sessions
Patch Information
The vulnerability has been addressed in the official plugin update. The security fix can be reviewed in the WordPress Plugin Changeset. This patch implements proper identity verification to ensure users can only modify their own account details.
To apply the fix:
- Navigate to the WordPress admin dashboard
- Go to Plugins → Installed Plugins
- Locate "Donation Forms by Charitable" and click "Update Now"
- Verify the plugin version is newer than 1.8.1.14
Workarounds
- If immediate patching is not possible, temporarily disable the Charitable plugin until the update can be applied
- Implement WAF rules to block requests attempting to manipulate user ID parameters in Charitable plugin endpoints
- Restrict access to WordPress admin and plugin endpoints via IP allowlisting where feasible
- Enable additional authentication factors for administrator accounts to provide defense-in-depth
# Verify current Charitable plugin version
wp plugin get charitable --field=version
# Update Charitable plugin via WP-CLI
wp plugin update charitable
# Force password reset for administrator accounts
wp user update 1 --user_pass="$(openssl rand -base64 32)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
