A critical security vulnerability (CVE-2024-9634) has been discovered and patched in GiveWP, a popular WordPress donation plugin with over 100,000 active installations. The flaw, a PHP Object Injection vulnerability, could allow unauthenticated attackers to execute arbitrary code on vulnerable websites, potentially compromising sensitive donor data and taking complete control of the site.
The vulnerability, with a CVSS score of 9.8, was identified by security researcher “lefab” and stemmed from the plugin’s improper handling of the give_company_name parameter. This allowed attackers to inject malicious PHP objects, which, when combined with a pre-existing POP chain (a sequence of gadgets in the code that can be chained together to achieve code execution), could lead to remote code execution.
Given the widespread use of the GiveWP plugin, this vulnerability puts a significant number of websites in danger. Attackers exploiting CVE-2024-9634 can execute arbitrary code, leading to full control over affected sites without needing to authenticate or bypass additional security controls.
The GiveWP development team responded swiftly to the report, releasing a patched version (3.16.4) to address the vulnerability. All users of GiveWP are strongly urged to update to the latest version immediately.
Related Posts:
- CVE-2024-8353 (CVSS 10): Critical GiveWP Flaw, 100k WordPress Sites at Risk
- CVE-2024-5932 (CVSS 10): Critical RCE Vulnerability Impacts 100k+ WordPress Sites
- Personal information of over 220,000 Malaysian organ donors were disclosed
