The GiveWP plugin, with over 100,000 active installations, is a widely used donation and fundraising platform for WordPress sites. In all versions up to and including 3.16.3, there is a critical PHP Object Injection vulnerability (CVE-2024-9634) that allows attackers to inject malicious objects via the give_company_name parameter. If exploited in conjunction with a POP (Property-Oriented Programming) chain, this vulnerability can lead to Remote Code Execution (RCE). Given the plugin’s popularity and its use in handling sensitive financial transactions, such as donations, the risk of exploitation is significant. Unauthorized exploitation could compromise donor data, alter site behavior, or even grant administrative access to attackers. Due to the unauthenticated nature of the exploit, all sites using vulnerable versions are at immediate risk.
| Product | WordPress |
| Date | 2024-10-21 16:46:28 |
| Information |
|
Technical Summary
CVE-2024-9634 is a critical vulnerability affecting the GiveWP plugin for WordPress. It occurs due to insecure deserialization of user input, which allows attackers to inject PHP objects through the give_company_name parameter. The presence of a POP chain can escalate the attack to Remote Code Execution, allowing the attacker to execute arbitrary code on the compromised system. The vulnerability affects all versions up to and including 3.16.3. This makes the issue particularly dangerous, as the plugin is not only widely used but also frequently involved in financial operations where trust and security are paramount.
Recommendations
Update the GiveWP plugin to a version newer than 3.16.3, in which this vulnerability has been patched.
[Callforaction-THREAT-Footer]
