CVE-2024-8353
published 2024-09-28CVE-2024-8353: The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1…
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
29.10%
97.9th percentile
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like 'give_title' and 'card_address'. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files and achieve remote code execution. This is essentially the same vulnerability as CVE-2024-5932, however, it was discovered the the presence of stripslashes_deep on user_info allows the is_serialized check to be bypassed. This issue was mostly patched in 3.16.1, but further hardening was added in 3.16.2.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| givewp | givewp | < 3.16.2 | 3.16.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /wp-admin/admin-ajax.php with action=give_process_donation containing serialized PHP object payloads in the give_title or card_address parameters (look for URL-encoded 'O:' object notation or backslash-prefixed serialized strings). ↗
- →The bypass technique uses stripslashes_deep on user_info to circumvent the is_serialized check; look for backslash-prefixed serialized strings (e.g., \O: or %5CO:) in POST body parameters targeting give_process_donation. ↗
- →The POP chain abuses Give\Vendors\Faker\ValidGenerator with shell_exec as the validator; alert on HTTP 500 responses to admin-ajax.php give_process_donation requests, which may indicate successful object injection triggering an error. ↗
- →Detect exploitation attempts by scanning HTTP request bodies for the serialized class name 'Give\PaymentGateways\DataTransferObjects\GiveInsertPaymentData' (URL-encoded) in POST parameters to admin-ajax.php. ↗
- →Use Shodan/FOFA queries to identify exposed WordPress instances running the GiveWP plugin as potential targets: search for http.html:"/wp-content/plugins/give/" or body="/wp-content/plugins/give/". ↗
- →The exploit is unauthenticated and targets the donation processing flow via three sequential AJAX requests: give_form_search → give_donation_form_nonce → give_process_donation. Correlate these three actions from the same source IP in rapid succession. ↗
- →A Metasploit module exists for this vulnerability (wp_givewp_rce.rb); monitor for exploitation tooling signatures associated with this module against WordPress sites running GiveWP <= 3.16.1. ↗
- ·The vulnerability was 'mostly patched' in 3.16.1 but full hardening was only added in 3.16.2; sites running exactly 3.16.1 may still be partially vulnerable. ↗
- ·An earlier patch introduced in version 3.14.2 was incorrect and bypassable, meaning all versions between 3.14.2 and 3.16.1 inclusive remained exploitable despite appearing patched. ↗
- ·Exploitation requires a suitable POP chain to be present on the target system for RCE; without a compatible POP chain, impact may be limited to object injection only. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vpc6-qr46-3mw7: The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including,
ghsa_unreviewed·2024-09-28·CVSS 10.0
CVE-2024-8353 [CRITICAL] CWE-502 GHSA-vpc6-qr46-3mw7: The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including,
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like 'give_title' and 'card_address'. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files and achieve remote code execution. This is essentially the same vulnerability as CVE-2024-5932, however, it was discovered the the presence of stripslashes_deep on user_info allows the is_serialized check to be bypassed. This issue was mostly patched in 3.16.1, but further hardening was added in 3.16.2.
VulnCheck
givewp givewp Deserialization of Untrusted Data
vulncheck·2024·CVSS 10.0
CVE-2024-8353 [CRITICAL] givewp givewp Deserialization of Untrusted Data
givewp givewp Deserialization of Untrusted Data
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like 'give_title' and 'card_address'. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files and achieve remote code execution. This is essentially the same vulnerability as CVE-2024-5932, however, it was discovered the the presence of stripslashes_deep on user_info allows the is_serialized check to be bypassed. This issue was mostly patched in 3.16.1, but further hardening was added in 3.16.2.
Affected: givewp givewp
Req
No detection rules found.
Nuclei
GiveWP Donation Plugin <= 3.16.1 - Unauthenticated PHP Object Injection
nuclei·CVSS 9.8
CVE-2024-8353 [CRITICAL] GiveWP Donation Plugin <= 3.16.1 - Unauthenticated PHP Object Injection
GiveWP Donation Plugin <= 3.16.1 - Unauthenticated PHP Object Injection
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1. This is due to insufficient input validation on user-supplied data. An unauthenticated attacker can inject a serialized PHP object, which may allow them to execute arbitrary PHP code, depending on the presence of a suitable POP chain on the target system. This vulnerability could lead to full site compromise.
Template:
id: CVE-2024-8353
info:
name: GiveWP Donation Plugin <= 3.16.1 - Unauthenticated PHP Object Injection
author: hnd3884
severity: critical
description: |
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to
Metasploit
GiveWP Unauthenticated Donation Process Exploit
metasploit
GiveWP Unauthenticated Donation Process Exploit
GiveWP Unauthenticated Donation Process Exploit
The GiveWP Donation Plugin and Fundraising Platform for WordPress, in all versions up to and including 3.16.1, is vulnerable to a PHP Object Injection (POI) attack that allows unauthenticated arbitrary code execution. Although a patch was introduced in version 3.14.2, it was incorrect and can be bypassed. This means the vulnerability remains exploitable in subsequent versions due to the ineffective patch.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/give/tags/3.16.0/includes/process-donation.php#L154https://plugins.trac.wordpress.org/changeset/3149290/give/tags/3.16.1/includes/admin/admin-actions.phphttps://plugins.trac.wordpress.org/changeset/3149290/give/tags/3.16.1/includes/process-donation.phphttps://plugins.trac.wordpress.org/changeset/3149290/give/tags/3.16.1/src/Helpers/Utils.phphttps://plugins.trac.wordpress.org/changeset/3157829/give/tags/3.16.2/includes/process-donation.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/c4c530fa-eaf4-4721-bfb6-9fc06d7f343c?source=cve
2024-09-28
Published
Exploited in the wild