Unauthenticated PHP Object Injection Vulnerability in GiveWP Donation Plugin
Key Information
- Vendor
- Webdevmattcrom
- Status
- GiveWP – Donation Plugin And Fundraising Platform
- Vendor
- CVE Published:
- 20 August 2024
Badges
Summary
The GiveWP Donation Plugin for WordPress has been found to have a critical PHP Object Injection vulnerability, identified as CVE-2024-5932, which has the potential for Remote Code Execution (RCE) and file deletion. The vulnerability impacts all versions of the plugin up to and including version 3.14.1, and users are strongly advised to update to version 3.14.2 immediately. The vulnerability was discovered by researcher villu164 and is classified as "Critical" with a CVSS score of 10.0. It allows attackers to gain complete control over affected sites and poses a significant risk to site security and data integrity. The GiveWP vulnerability was present due to the deserialization of untrusted input from the 'give_title' parameter, which allowed for unauthenticated attackers to inject PHP objects. The exploitation of this vulnerability can result in the execution of arbitrary PHP code and unauthorized file deletion. An attacker can exploit such vulnerabilities by injecting objects with harmful properties and using methods like __destruct to delete critical files. The issue was patched in version 3.14.2, which was released on August 7, 2024.
Affected Version(s)
GiveWP – Donation Plugin and Fundraising Platform <= 3.14.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Takeovers Likely Across Over 100K WordPress Sites Due to Critical Plugin Bug
SecurityWeek reports that more than 100,000 WordPress websites could be hijacked in intrusions exploiting a maximum severity PHP object injection flaw in the widely used fundraising and donation plugin GiveWP. Such a vulnerability, tracked as CVE-2024-5932, could be leveraged by t...
3 weeks ago
Takeovers likely across over 100K WordPress sites due to critical plugin bug
Such a vulnerability, tracked as CVE-2024-5932, could be leveraged by threat actors to facilitate PHP object injection and subsequent Property Oriented Programming chain abuse involving the manipulation of deserialized objects for remote code execution and arbitrary file deletion, a report from Defi...
4 weeks ago
Kwetsbaarheid van GiveWP WordPress-plug-in brengt meer dan 100.000 websites in gevaar
Er is een zeer ernstig beveiligingslek ontdekt in de WordPress-plug-in GiveWP voor donaties en fondsenwerving. Deze kwetsbaarheid stelt meer dan 100.000 websites bloot aan aanvallen met code-uitvoering op afstand. Het lek, dat wordt getraceerd als CVE-2024-5932 (CVSS-score: 10,0), heeft invloed ... ...
1 month ago
EPSS Score
63% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
Vulnerability started trending.
- 👾
Exploit exists.
First article discovered by The Cyber Express
Vulnerability published.
Disclosed
Vulnerability Reserved.