Summary: A critical PHP Object Injection vulnerability (CVE-2024-9634) has been identified in the GiveWP WordPress donation plugin, affecting over 100,000 installations. This flaw allows unauthenticated attackers to execute arbitrary code, potentially compromising sensitive donor data and gaining complete control over vulnerable websites.
Threat Actor: Unauthenticated attackers | unauthenticated attackers
Victim: GiveWP users | GiveWP
Key Point :
- Vulnerability CVE-2024-9634 has a CVSS score of 9.8, indicating its critical nature.
- Attackers can exploit the flaw to execute arbitrary code without authentication, posing a significant risk to sensitive data.
- The GiveWP development team has released a patched version (3.16.4) and urges all users to update immediately.
A critical security vulnerability (CVE-2024-9634) has been discovered and patched in GiveWP, a popular WordPress donation plugin with over 100,000 active installations. The flaw, a PHP Object Injection vulnerability, could allow unauthenticated attackers to execute arbitrary code on vulnerable websites, potentially compromising sensitive donor data and taking complete control of the site.
The vulnerability, with a CVSS score of 9.8, was identified by security researcher “lefab” and stemmed from the plugin’s improper handling of the give_company_name parameter. This allowed attackers to inject malicious PHP objects, which, when combined with a pre-existing POP chain (a sequence of gadgets in the code that can be chained together to achieve code execution), could lead to remote code execution.
Given the widespread use of the GiveWP plugin, this vulnerability puts a significant number of websites in danger. Attackers exploiting CVE-2024-9634 can execute arbitrary code, leading to full control over affected sites without needing to authenticate or bypass additional security controls.
The GiveWP development team responded swiftly to the report, releasing a patched version (3.16.4) to address the vulnerability. All users of GiveWP are strongly urged to update to the latest version immediately.