Unauthenticated PHP Object Injection Vulnerability in GiveWP Donation Plugin
CVE-2024-5932
Key Information:
- Vendor
- Webdevmattcrom
- Status
- GiveWP β Donation Plugin And Fundraising Platform
- Vendor
- CVE Published:
- 20 August 2024
Badges
What is CVE-2024-5932?
CVE-2024-5932 is a severe vulnerability identified in the GiveWP Donation Plugin, a widely used fundraising platform for WordPress. The flaw arises from a PHP Object Injection issue, enabling unauthenticated attackers to manipulate PHP objects via untrusted data deserialization. This vulnerability poses significant risks to organizations utilizing the GiveWP plugin, as it allows for unauthorized code execution, potentially leading to data breaches, service disruptions, and unauthorized access to sensitive resources.
Technical Details
The vulnerability exists in all versions of the GiveWP Donation Plugin up to and including version 3.14.1. The exploit is triggered through the manipulation of the 'give_title' parameter, allowing attackers to inject a PHP object. The presence of a "POP chain" further exacerbates the issue, as it allows for remote code execution, which can be leveraged to execute arbitrary commands on the server. Given that this is an unauthenticated vulnerability, attackers do not need a user account to exploit it, increasing its risk profile for organizations not employing strict input validation practices.
Impact of the Vulnerability
-
Remote Code Execution: The ability for attackers to execute arbitrary code can lead to full system compromise, allowing them to manipulate, steal, or delete essential data hosted on the affected servers.
-
Unauthorized Access: Successful exploitation can grant unauthorized users access to sensitive information or administrative functionalities, potentially leading to further attacks or data leaks.
-
Service Disruption: Attackers could leverage this vulnerability to delete critical files or disable services, causing significant downtime for organizations relying on the GiveWP plugin for fundraising efforts.
Affected Version(s)
GiveWP β Donation Plugin and Fundraising Platform * <= 3.14.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
Get notified when SecurityVulnerability.io launches alerting π
Well keep you posted π§
News Articles
Unauthenticated RCE in WordPress Plugin Exposes 100,000 Sites
RCE in WordPress Plugin exposes over 100,000 WordPress sites to potential remote code execution (RCE) attacks.
5 months ago
Takeovers Likely Across Over 100K WordPress Sites Due to Critical Plugin Bug
SecurityWeek reports that more than 100,000 WordPress websites could be hijacked in intrusions exploiting a maximum severity PHP object injection flaw in the widely used fundraising and donation plugin GiveWP. Such a vulnerability, tracked as CVE-2024-5932, could be leveraged by t...
5 months ago
Takeovers likely across over 100K WordPress sites due to critical plugin bug
Such a vulnerability, tracked as CVE-2024-5932, could be leveraged by threat actors to facilitate PHP object injection and subsequent Property Oriented Programming chain abuse involving the manipulation of deserialized objects for remote code execution and arbitrary file deletion, a report from Defi...
5 months ago
References
EPSS Score
6% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- π‘
Public PoC available
- π
Vulnerability started trending
- πΎ
Exploit known to exist
- π°
First article discovered by The Cyber Express
Vulnerability published
Vulnerability Reserved