Lefab

**Name of the Vulnerable Software and Affected Versions** GiveWP – Donation Plugin and Fundraising Platform versions up to, and including, 3.16.3 **Description** The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.3 via deserialization of untrusted input from the `give company name` parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution. Over 100,000 WordPress sites are potentially at risk. **Recommendations** For versions up to, and including, 3.16.3, update to version 3.16.4 or later to prevent arbitrary code execution. As a temporary workaround, consider restricting access to the `give company name` parameter to minimize the risk of exploitation.