CVE-2024-5932
published 2024-08-20CVE-2024-5932: The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
74.43%
99.4th percentile
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| givewp | givewp | < 3.16.2 | 3.16.2 |
| givewp | givewp | < 3.14.2 | 3.14.2 |
| stellarwp | givewp_donation_plugin_and_fundraising_platform | <= 3.16.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-json/wp/v2/give_forms/
url/wp-admin/admin-ajax.php
path/wp-content/plugins/give/
commandgive_action=purchase&give-gateway=manual&give_embed_form=1&action=give_process_donation&&give_title={{payload}}
path/give/{{value}}?giveDonationFormInIframe=1
- →Exploit targets the `give_title` POST parameter (and related parameters like `card_address`) in the `give_process_donation` AJAX action with a serialized PHP object payload for unauthenticated RCE.
- →The POP chain abuses `Give\Vendors\Faker\ValidGenerator` with `shell_exec` as the validator and a command string in `Give\Container\Container` instances, triggered via `Stripe\StripeObject` deserialization.
- →Detection flow: first probe `/wp-json/wp/v2/give_forms/` for form slug/title, then fetch the donation form page to extract `give-form-hash`, `give-form-id-prefix`, and `give-form-id`, then POST the serialized payload to `/wp-admin/admin-ajax.php` with `action=give_process_donation`.
- →Successful exploitation returns a JSON body containing `error_data` and `unknown_error` fields alongside an outbound HTTP callback (OOB interaction), useful for blind RCE detection.
- →The patch bypass in versions 3.14.2–3.16.1 relies on `stripslashes_deep` applied to `user_info`, which allows the `is_serialized` check to be circumvented; monitor for serialized payloads in `give_title`, `card_address`, and other `user_info` sub-parameters. ↗
- →The Metasploit module confirms the vulnerability remains exploitable through version 3.16.1 despite the 3.14.2 patch; treat all GiveWP installs ≤ 3.16.1 as unpatched. ↗
- →Look for POST requests to `/wp-admin/admin-ajax.php` with `Content-Type: application/x-www-form-urlencoded` containing `give_action=purchase` and a `give_title` value beginning with `O:` (PHP serialized object notation).
- ·The vulnerability affects GiveWP versions up to and including 3.16.1; the fix in 3.14.2 was incomplete and bypassable. Full hardening was only added in 3.16.2. ↗
- ·Multiple parameters beyond `give_title` are vulnerable, including `card_address` and other fields within `user_info`; scanning only for `give_title` payloads will miss variant attack vectors. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vpc6-qr46-3mw7: The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including,
ghsa_unreviewed·2024-09-28·CVSS 10.0
CVE-2024-8353 [CRITICAL] CWE-502 GHSA-vpc6-qr46-3mw7: The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including,
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like 'give_title' and 'card_address'. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files and achieve remote code execution. This is essentially the same vulnerability as CVE-2024-5932, however, it was discovered the the presence of stripslashes_deep on user_info allows the is_serialized check to be bypassed. This issue was mostly patched in 3.16.1, but further hardening was added in 3.16.2.
GHSA
GHSA-v25r-h42w-j2vq: The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including,
ghsa_unreviewed·2024-08-20
CVE-2024-5932 [CRITICAL] CWE-502 GHSA-v25r-h42w-j2vq: The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including,
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files.
VulnCheck
givewp givewp Deserialization of Untrusted Data
vulncheck·2024·CVSS 10.0
CVE-2024-8353 [CRITICAL] givewp givewp Deserialization of Untrusted Data
givewp givewp Deserialization of Untrusted Data
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like 'give_title' and 'card_address'. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files and achieve remote code execution. This is essentially the same vulnerability as CVE-2024-5932, however, it was discovered the the presence of stripslashes_deep on user_info allows the is_serialized check to be bypassed. This issue was mostly patched in 3.16.1, but further hardening was added in 3.16.2.
Affected: givewp givewp
Req
VulnCheck
givewp givewp Deserialization of Untrusted Data
vulncheck·2024·CVSS 10.0
CVE-2024-5932 [CRITICAL] givewp givewp Deserialization of Untrusted Data
givewp givewp Deserialization of Untrusted Data
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files.
Affected: givewp givewp
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://cyble.com/blog/cyble-sensors-detect-exploit-attempts-on-ivanti-avtech-ip-cameras/
Exploit PoC: https://vulncheck.c
No detection rules found.
Nuclei
GiveWP - PHP Object Injection
nuclei·CVSS 9.8
CVE-2024-5932 [CRITICAL] GiveWP - PHP Object Injection
GiveWP - PHP Object Injection
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter.
Template:
id: CVE-2024-5932
info:
name: GiveWP - PHP Object Injection
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter.
impact: |
This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code rem
Metasploit
GiveWP Unauthenticated Donation Process Exploit
metasploit
GiveWP Unauthenticated Donation Process Exploit
GiveWP Unauthenticated Donation Process Exploit
The GiveWP Donation Plugin and Fundraising Platform for WordPress, in all versions up to and including 3.16.1, is vulnerable to a PHP Object Injection (POI) attack that allows unauthenticated arbitrary code execution. Although a patch was introduced in version 3.14.2, it was incorrect and can be bypassed. This means the vulnerability remains exploitable in subsequent versions due to the ineffective patch.
https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/includes/login-register.php#L235https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/includes/process-donation.php#L420https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/src/DonorDashboards/Tabs/EditProfileTab/AvatarRoute.php#L51https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/vendor/tecnickcom/tcpdf/tcpdf.php#L7861https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/vendor/vendor-prefixed/fakerphp/faker/src/Faker/ValidGenerator.php#L80https://plugins.trac.wordpress.org/changeset/3132247/https://www.wordfence.com/blog/2024/08/4998-bounty-awarded-and-100000-wordpress-sites-protected-against-unauthenticated-remote-code-execution-vulnerability-patched-in-givewp-wordpress-plugin/https://www.wordfence.com/threat-intel/vulnerabilities/id/93e2d007-8157-42c5-92ad-704dc80749a3?source=cve
2024-08-20
Published
Exploited in the wild