GiveWP Plugin Vulnerability Risked 100,000+ Websites To RCE Attacks

A serious code execution vulnerability compromised the security of the GiveWP WordPress plugin, risking thousands of websites. Users running this plugin must update their sites with the latest plugin release to receive the patch.

GiveWP Plugin Vulnerability Allowed Remote Code Execution

As elaborated in a recent post from Wordfence, a critical code execution vulnerability existed in the GiveWP plugin. GiveWP is a known WordPress plugin that facilitates users with valuable features for swift donations and fundraising activities. However, boasting over 100,000 active installations, the plugin also risks thousands of WordPress sites globally to cyber threats due to the vulnerability.

Specifically, the vulnerability is a PHP Object Injection issue that affected all GiveWP plugin versions until v.3.14.1. It existed due to “deserialization of untrusted input from the ‘give_title‘ parameter.” Exploiting this vulnerability allowed an unauthenticated adversary to inject a malicious PHP object. Moreover, the presence of the POP chain also permitted the adversary to perform various malicious actions, such as executing malicious codes remotely or deleting arbitrary files.

This vulnerability, CVE-2024-5932, received a critical severity rating with a CVSS score of 10.0. It is the maximum severity score that, when assigned to a vulnerability, indicates the highest threat level for the flaw, potentially causing massive damage to the victim users following an exploit.

Patch Deployed – Update Asap!

This vulnerability first caught the attention of the security researcher Villu Orav (villu164), who responsibly disclosed it via Wordfence’s bug bounty program.

In response to his report, the GiveWP team patched the flaw with plugin version 3.14.2, released earlier this month. Wordfence rewarded the researcher with a $4998 bug bounty for this report.

The plugin’s official WordPress page lists version 3.15.1 as the latest release. Hence, users should ideally update their websites with this plugin version to receive all security fixes and feature improvements.

Let us know your thoughts in the comments.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil