CVE-2024-5977

Name of the Vulnerable Software and Affected Versions: GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress versions up to, and including, 3.13.0

Description: The issue is related to Insecure Direct Object Reference, which occurs due to missing validation on a user-controlled key in the handleRequest function. This allows authenticated attackers with GiveWP Worker-level access and above to delete and update arbitrary posts.

Recommendations: For versions up to, and including, 3.13.0, update to a version that includes a fix for this issue to prevent exploitation. As a temporary workaround, consider restricting access to the handleRequest function to minimize the risk of arbitrary post deletion and updates.