GiveWP donation plugin fixes critical flaw
Take action: If you are using GiveWP plugin, update to the patched version (3.14.2) immediately, or delete the plugin. While the severity score varies, the unauthenticated exploit and well documented PoC means that criminals will attack it. Updating is trivial, don't delay.
Learn More
The GiveWP plugin for WordPress, a widely-used donation platform with over 100,000 active installations, has patched a critical vulnerability that could lead to remote code execution (RCE) and file deletion. This vulnerability, tracked as CVE-2024-5932 (CVSS score varies from 5.3 to 10), was discovered and reported by Villu Orav (villu164) through the Wordfence Bug Bounty Program.
The vulnerability, present in all versions of the GiveWP plugin up to and including version 3.14.1, is due to an unauthenticated PHP Object Injection issue that can be exploited via deserialization of untrusted input from the give_title parameter. The plugin’s lack of validation on this parameter enables attackers to inject a PHP object. Coupled with the presence of a Property-Oriented Programming (POP) chain, this allows threat actors to remotely execute arbitrary code and delete files from the affected system.
A patch was released in version 3.14.2 of the GiveWP plugin. Site owners using GiveWP are strongly advised to update to the patched version (3.14.2) immediately.
