cbcvebase.
CVE-2024-8353
published 2024-09-28

CVE-2024-8353: The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
29.10%
97.9th percentile
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like 'give_title' and 'card_address'. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files and achieve remote code execution. This is essentially the same vulnerability as CVE-2024-5932, however, it was discovered the the presence of stripslashes_deep on user_info allows the is_serialized check to be bypassed. This issue was mostly patched in 3.16.1, but further hardening was added in 3.16.2.

Affected

1 ranges
VendorProductVersion rangeFixed in
givewpgivewp< 3.16.23.16.2

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
path/wp-content/plugins/give/
commandaction=give_process_donation
commandaction=give_form_search
commandaction=give_donation_form_nonce
path/give/tags/3.16.0/includes/process-donation.php
  • Monitor POST requests to /wp-admin/admin-ajax.php with action=give_process_donation containing serialized PHP object payloads in the give_title or card_address parameters (look for URL-encoded 'O:' object notation or backslash-prefixed serialized strings).
  • The bypass technique uses stripslashes_deep on user_info to circumvent the is_serialized check; look for backslash-prefixed serialized strings (e.g., \O: or %5CO:) in POST body parameters targeting give_process_donation.
  • The POP chain abuses Give\Vendors\Faker\ValidGenerator with shell_exec as the validator; alert on HTTP 500 responses to admin-ajax.php give_process_donation requests, which may indicate successful object injection triggering an error.
  • Detect exploitation attempts by scanning HTTP request bodies for the serialized class name 'Give\PaymentGateways\DataTransferObjects\GiveInsertPaymentData' (URL-encoded) in POST parameters to admin-ajax.php.
  • Use Shodan/FOFA queries to identify exposed WordPress instances running the GiveWP plugin as potential targets: search for http.html:"/wp-content/plugins/give/" or body="/wp-content/plugins/give/".
  • The exploit is unauthenticated and targets the donation processing flow via three sequential AJAX requests: give_form_search → give_donation_form_nonce → give_process_donation. Correlate these three actions from the same source IP in rapid succession.
  • A Metasploit module exists for this vulnerability (wp_givewp_rce.rb); monitor for exploitation tooling signatures associated with this module against WordPress sites running GiveWP <= 3.16.1.
  • ·The vulnerability was 'mostly patched' in 3.16.1 but full hardening was only added in 3.16.2; sites running exactly 3.16.1 may still be partially vulnerable.
  • ·An earlier patch introduced in version 3.14.2 was incorrect and bypassable, meaning all versions between 3.14.2 and 3.16.1 inclusive remained exploitable despite appearing patched.
  • ·Exploitation requires a suitable POP chain to be present on the target system for RCE; without a compatible POP chain, impact may be limited to object injection only.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.