CVE-2024-8353

Name of the Vulnerable Software and Affected Versions GiveWP – Donation Plugin and Fundraising Platform versions 3.16.1 and earlier

Description The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input through several parameters like give title and card address. This allows unauthenticated attackers to inject a PHP Object, and the presence of a POP chain enables them to delete arbitrary files and achieve remote code execution. Over 100,000 WordPress sites are estimated to be at risk.

Recommendations For versions 3.16.1 and earlier, update to version 3.16.2 or later to fully resolve the issue. As a temporary workaround, consider disabling the vulnerable parameters give title and card address until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation.