CVE-2024-5932 (CVSS 10): Critical RCE Vulnerability Impacts 100k+ WordPress Sites
A critical security flaw (CVE-2024-5932) in the popular GiveWP WordPress plugin has left over 100,000 websites vulnerable to remote code execution and unauthorized file deletion. This vulnerability, scoring a maximum of 10 on the CVSS severity scale, can be exploited by attackers without requiring any authentication.
The vulnerability in question is a PHP Object Injection (POI) flaw that can be triggered through the deserialization of untrusted input, specifically via the ‘give_title’ parameter in the GiveWP plugin. The deserialization process can be exploited by injecting a crafted PHP object, which, when combined with an existing Property Oriented Programming (POP) chain present in the plugin, escalates the attack to Remote Code Execution (RCE). This means attackers can gain full control over the affected WordPress site without needing any prior authentication.
The impact of this vulnerability is particularly alarming due to its ability to not only execute arbitrary code but also delete critical files from the server. Given the nature of donation and fundraising platforms, any breach could potentially expose sensitive donor information, disrupt financial transactions, and tarnish the reputations of the organizations relying on GiveWP.
The security researcher who discovered the flaw, villu164, responsibly reported it through the Wordfence Bug Bounty Program. For this critical discovery, villu164 was awarded a bounty of $4,998.00. The GiveWP team has since released an urgent security update, version 3.14.2, to address the vulnerability.
Given the severity of CVE-2024-5932, it is imperative that all users of the GiveWP plugin update to the latest version (3.14.2) immediately. Websites that remain on older versions are at significant risk of exploitation, which could lead to complete site compromise, data loss, and irreversible damage.
