A critical vulnerability has been discovered in the popular GiveWP donation plugin for WordPress, potentially allowing unauthenticated attackers to take complete control of affected websites.
The vulnerability, tracked as CVE-2024-8353 with a CVSS score of 10, is a PHP Object Injection vulnerability that occurs due to improper handling of untrusted input, specifically during the deserialization of several parameters, such as ‘give_title’ and ‘card_address’. This flaw allows unauthenticated attackers to inject a malicious PHP object into the system. The additional presence of a POP (Property Oriented Programming) chain allows attackers to leverage this vulnerability to delete arbitrary files and gain remote code execution on the target website.
All versions of GiveWP up to and including 3.16.1 are vulnerable. With over 100,000 active installations, this represents a significant security risk to many WordPress websites that rely on this plugin for their fundraising efforts.
Update GiveWP to version 3.16.2 or later as soon as possible. This release contains the necessary patches to address the vulnerability and mitigate the risk of exploitation. Website administrators should monitor their logs for any suspicious activity, particularly deserialization errors or unexplained file deletions.
