cbcvebase.
CVE-2024-5932
published 2024-08-20

CVE-2024-5932: The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
74.43%
99.4th percentile
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files.

Affected

3 ranges
VendorProductVersion rangeFixed in
givewpgivewp< 3.16.23.16.2
givewpgivewp< 3.14.23.14.2
stellarwpgivewp_donation_plugin_and_fundraising_platform<= 3.16.1

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/wp/v2/give_forms/
url/wp-admin/admin-ajax.php
path/wp-content/plugins/give/
commandgive_action=purchase&give-gateway=manual&give_embed_form=1&action=give_process_donation&&give_title={{payload}}
path/give/{{value}}?giveDonationFormInIframe=1
  • Exploit targets the `give_title` POST parameter (and related parameters like `card_address`) in the `give_process_donation` AJAX action with a serialized PHP object payload for unauthenticated RCE.
  • The POP chain abuses `Give\Vendors\Faker\ValidGenerator` with `shell_exec` as the validator and a command string in `Give\Container\Container` instances, triggered via `Stripe\StripeObject` deserialization.
  • Detection flow: first probe `/wp-json/wp/v2/give_forms/` for form slug/title, then fetch the donation form page to extract `give-form-hash`, `give-form-id-prefix`, and `give-form-id`, then POST the serialized payload to `/wp-admin/admin-ajax.php` with `action=give_process_donation`.
  • Successful exploitation returns a JSON body containing `error_data` and `unknown_error` fields alongside an outbound HTTP callback (OOB interaction), useful for blind RCE detection.
  • The patch bypass in versions 3.14.2–3.16.1 relies on `stripslashes_deep` applied to `user_info`, which allows the `is_serialized` check to be circumvented; monitor for serialized payloads in `give_title`, `card_address`, and other `user_info` sub-parameters.
  • The Metasploit module confirms the vulnerability remains exploitable through version 3.16.1 despite the 3.14.2 patch; treat all GiveWP installs ≤ 3.16.1 as unpatched.
  • Look for POST requests to `/wp-admin/admin-ajax.php` with `Content-Type: application/x-www-form-urlencoded` containing `give_action=purchase` and a `give_title` value beginning with `O:` (PHP serialized object notation).
  • ·The vulnerability affects GiveWP versions up to and including 3.16.1; the fix in 3.14.2 was incomplete and bypassable. Full hardening was only added in 3.16.2.
  • ·Multiple parameters beyond `give_title` are vulnerable, including `card_address` and other fields within `user_info`; scanning only for `give_title` payloads will miss variant attack vectors.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.