A serious code execution vulnerability compromised the security of the GiveWP WordPress plugin, putting thousands of websites at risk. Users using this plugin must update their sites with the latest release of the plugin to receive the patch.
GiveWP plugin vulnerability allows remote code execution
As elaborated in a recent one after of Wordfence, a critical code execution vulnerability existed in the GiveWP plugin. GiveWP is a well-known WordPress plugin that provides users with valuable features for quick donations and fundraising activities. However, with over 100,000 active installations, the plugin also puts thousands of WordPress sites worldwide at risk from cyber threats due to its vulnerability.
Specifically, the vulnerability is a PHP Object Injection issue that affected all versions of the GiveWP plugin up to v.3.14.1. It existed due to ‘deserialization of untrusted input from the’give_titleparameter.” Exploiting this vulnerability allowed an unauthenticated adversary to inject a malicious PHP object. Furthermore, the presence of the POP chain also allowed the adversary to perform various malicious actions, such as remotely executing malicious codes or deleting arbitrary files.
This vulnerability, CVE-2024-5932received a critical severity rating with a CVSS score of 10.0. It is the maximum severity score that, when assigned to a vulnerability, indicates the highest threat level for the flaw, potentially causing massive damage to the users affected by an exploit.
Patch deployed – Update ASAP!
This vulnerability first caught the attention of security researcher Villu Orav (villu164), who responsibly disclosed the vulnerability through Wordfence’s bug bounty program.
In response to his report, the GiveWP team fixed the bug with plugin version 3.14.2, which was released earlier this month. Wordfence rewarded the researcher with a $4,998 bug bounty for this report.
The plugin’s official WordPress page lists version 3.15.1 as the latest edition. Therefore, users should ideally update their websites with this plugin version to receive all security fixes and feature improvements.
Let us know your thoughts in the comments.
