Unauthenticated PHP Object Injection Vulnerability in GiveWP Donation Plugin

CVE-2024-5932
9.8CRITICAL

Key Information

Vendor
Webdevmattcrom
Status
GiveWP – Donation Plugin And Fundraising Platform
Vendor
CVE Published:
20 August 2024

Badges

😄 Trended👾 Exploit Exists🔴 Public PoC🟡 EPSS 63%📰 News Worthy

Summary

The GiveWP Donation Plugin for WordPress has been found to have a critical PHP Object Injection vulnerability, identified as CVE-2024-5932, which has the potential for Remote Code Execution (RCE) and file deletion. The vulnerability impacts all versions of the plugin up to and including version 3.14.1, and users are strongly advised to update to version 3.14.2 immediately. The vulnerability was discovered by researcher villu164 and is classified as "Critical" with a CVSS score of 10.0. It allows attackers to gain complete control over affected sites and poses a significant risk to site security and data integrity. The GiveWP vulnerability was present due to the deserialization of untrusted input from the 'give_title' parameter, which allowed for unauthenticated attackers to inject PHP objects. The exploitation of this vulnerability can result in the execution of arbitrary PHP code and unauthorized file deletion. An attacker can exploit such vulnerabilities by injecting objects with harmful properties and using methods like __destruct to delete critical files. The issue was patched in version 3.14.2, which was released on August 7, 2024.

Affected Version(s)

GiveWP – Donation Plugin and Fundraising Platform <= 3.14.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

News Articles

EPSS Score

63% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability started trending.

  • 👾

    Exploit exists.

  • First article discovered by The Cyber Express

  • Vulnerability published.

  • Disclosed

  • Vulnerability Reserved.

Collectors

NVD DatabaseMitre Database1 Proof of Concept(s)4 News Article(s)

Credit

Villu Orav
.