CVE-2024-9634 (CVSS 9.8): Critical GiveWP Flaw Exposes 100,000+ WordPress Sites to RCE
A critical security vulnerability (CVE-2024-9634) has been discovered and patched in GiveWP, a popular WordPress donation plugin with over 100,000 active installations. The flaw, a PHP Object Injection vulnerability, could allow unauthenticated attackers to execute arbitrary code on vulnerable websites, potentially compromising sensitive donor data and taking complete control of the site.
The vulnerability, with a CVSS score of 9.8, was identified by security researcher “lefab” and stemmed from the plugin’s improper handling of the give_company_name parameter. This allowed attackers to inject malicious PHP objects, which, when combined with a pre-existing POP chain (a sequence of gadgets in the code that can be chained together to achieve code execution), could lead to remote code execution.
Given the widespread use of the GiveWP plugin, this vulnerability puts a significant number of websites in danger. Attackers exploiting CVE-2024-9634 can execute arbitrary code, leading to full control over affected sites without needing to authenticate or bypass additional security controls.
The GiveWP development team responded swiftly to the report, releasing a patched version (3.16.4) to address the vulnerability. All users of GiveWP are strongly urged to update to the latest version immediately.
