GiveWP – Donation Plugin and Fundraising Platform <= 3.14.1 – Unauthenticated PHP Object Injection with Potential Remote Code Execution

ISGroup Cybersecurity

A critical security vulnerability (CVE-2024-5932, CVSS 10.0) has been identified in the WordPress GiveWP plugin, which provides donation and fundraising functionality on over 100,000 websites. This flaw allows for remote code execution (RCE) by unauthenticated users, potentially giving attackers full control over the affected sites.

Productgive
Date2024-08-26 07:22:42

Technical Summary

The GiveWP – Donation Plugin and Fundraising Platform for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.1, via the deserialization of untrusted input received from the give_title parameter. This allows unauthenticated attackers to inject a PHP object. The additional presence of a POP chain allows attackers to both execute code remotely and delete arbitrary files.

Recommendations

Update to the latest available versions.

[Callforaction-THREAT-Footer]