CVE-2024-12877

Name of the Vulnerable Software and Affected Versions GiveWP – Donation Plugin and Fundraising Platform versions up to 3.19.2

Description The issue allows unauthenticated attackers to inject a PHP Object via deserialization of untrusted input from the donation form, such as the firstName field. The presence of a POP chain enables attackers to delete arbitrary files on the server, making remote code execution possible. A fully sufficient patch was not released until version 3.19.4.

Recommendations For versions up to 3.19.2, update to version 3.19.4 to resolve the issue. As a temporary workaround, consider using JSON encoding to prevent further deserialization vulnerabilities. Restrict access to the vulnerable donation form to minimize the risk of exploitation. Avoid using the firstName field in the affected form until the issue is resolved.