A critical security vulnerability (CVE-2024-5932, CVSS 10.0) has been identified in the WordPress GiveWP plugin, which provides donation and fundraising functionality on over 100,000 websites. This flaw allows for remote code execution (RCE) by unauthenticated users, potentially giving attackers full control over the affected sites.
| Product | give |
| Date | 2024-08-26 07:22:42 |
Technical Summary
The GiveWP – Donation Plugin and Fundraising Platform for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.1, via the deserialization of untrusted input received from the give_title parameter. This allows unauthenticated attackers to inject a PHP object. The additional presence of a POP chain allows attackers to both execute code remotely and delete arbitrary files.
Recommendations
Update to the latest available versions.
[Callforaction-THREAT-Footer]
