CVE-2024-9634

Name of the Vulnerable Software and Affected Versions GiveWP – Donation Plugin and Fundraising Platform versions up to, and including, 3.16.3

Description The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.3 via deserialization of untrusted input from the give company name parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution. Over 100,000 WordPress sites are potentially at risk.

Recommendations For versions up to, and including, 3.16.3, update to version 3.16.4 or later to prevent arbitrary code execution. As a temporary workaround, consider restricting access to the give company name parameter to minimize the risk of exploitation.