CVE-2024-5932

Name of the Vulnerable Software and Affected Versions GiveWP versions 3.14.1 and earlier

Description The GiveWP plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input from the give title parameter. This vulnerability allows unauthenticated attackers to inject a PHP Object, and the presence of a POP chain enables them to execute code remotely and delete arbitrary files. The issue affects over 100,000 WordPress sites, and the estimated number of potentially affected devices worldwide is not explicitly stated, but it is mentioned that 173K+ services are found on a specific website nearly every year. There are reports of real-world incidents where this issue was exploited, but specific details are not provided.

Recommendations To resolve the issue for GiveWP versions 3.14.1 and earlier, update to version 3.14.2 or later. As a temporary workaround, consider disabling the give title parameter in the affected API endpoint until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the give title parameter in the affected API endpoint until the issue is resolved.