Sign In

GiveWP Version 2.24.0 Includes Patch for Critical Vulnerability

Version 2.24.0 patches a vulnerability that could be used by a malicious attacker to insert unwanted content in your WordPress website. This article describes the steps we took to patch this and provides details on how everyone can get access to the update immediately.

We wanted to inform you right away about an important and urgent update we made to GiveWP in version 2.24.0. The details are below, but the short version is that you should update to the latest version as soon as possible.

Here are the details:

What was the Vulnerability?

GiveWP 2.23.2 and earlier contain an unauthorized SQL Injection vulnerability that is considered critical.

The vulnerability was immediately addressed and a patch has been included in the 2.24.0 release. Please update to the latest version to make sure the vulnerability is patched and cannot be exploited on your site.

An “unauthorized SQL injection” means that an “unauthorized” user, or someone who doesn’t need to be logged into your website, is able to get into the code-base of your website. Once inside, they can “inject” arbitrary commands or content  in your database, which may disrupt your site in a variety of ways. For more information about SQL injections, check out this guide from iThemes.

How was the Vulnerability Discovered and Fixed?

The vulnerability was discovered by a reputable security researcher and responsibly disclosed through WPScan. We truly appreciate the effort for responsible disclosure from the WordPress community to keep WordPress site owners safe.

What does this Mean for Your Website?

As of the publication of this alert, there are no known instances of this vulnerability being exploited by malicious hackers. As such, there is no reason to worry about your site.

However, you should check your website for any anomalies. This includes but is not limited to:

  1. Check to see if there are any unexpected users or admin accounts on your website.
  2. Look at your site’s content to determine if any unexplained changes have been made.
  3. Use Sucuri’s free site check to look for any indicators of compromise.
  4. Use iThemes Security to monitor for any unexpected file changes.
  5. Monitor Google Search Console for any indicators of unwanted site changes or malicious content.

If you’re still concerned and wish to check your site further, consult an expert. But, as stated previously, there is no reason to suspect this vulnerability has been exploited at the time of publication.

How to Update to the latest GiveWP Version

GiveWP core is simple to update. It’s free for all users, so there is no need to check for licensing.

To update GiveWP and ensure you have the latest version:

  1. Log into your website admin area and navigate to “Updates.”
  2. Look for GiveWP and choose to update the plugin.

That’s it! Now your website is secure and the previous vulnerability in GiveWP is no longer there.

Stay Safe and Reach Out If You Have Questions

As always, the security of your website and data is our utmost priority. Stay safe out there, keep your sites backed-up and updated.

If you’re not already using a service like Cloudflare, consider registering.Their service protects against most bot attacks and their web application firewall (WAF) protects against SQL injection attack attempts as well as many other generic attempts to compromise unknown vulnerabilities.

If you have questions at all, feel free to reach out to us via our contact form. For more information on why your website might be hacked or hacking prevention, check out our advice from the blog.

Your success with online donations is always our number one priority!

About the Author

Jason Adams

Jason Adams

Jason Adams is the Manager of Development at GiveWP, where he leads the engineering team on planning and executing the future of the GiveWP plugin and add-ons. He is passionate about serving, training, and coaching people; and supporting non-profits, working regularly with a couple himself. He lives in San Diego with his amazing wife Emily and their energetic dog Amani.

Share this post

You might also like

Stripe Verified Partner
Cloudflare

Join Our Newsletter

Get fundraising insights directly in your inbox. Plus a 15% discount off all plans.

  • This field is for validation purposes and should be left unchanged.

Policies

Resources

About US

Copyright © 2024 Liquid Web, L.L.C.

GiveWP™ is a trademark of Liquid Web, L.L.C.

A Liquid Web Brand

© 2024 All Rights Reserved.

StellarWP
Nexcess