GiveWP, a popular donation plugin for WordPress, has patched an unauthenticated PHP Object Injection to Remote Code Execution vulnerability that could be exploited to execute arbitrary code remotely and delete files. This plugin from the Liquid Web family of products has 100k+ active installs.
villu164 (Villu Orav) reported the vulnerability through the Wordfence Bug Bounty Program and netted a bounty of $4,998.00. The researchers have classified it as a “Critical” concern, with a CVSS score of 10.0, and strongly recommend updating to the latest version.
Wordfence shared that the GiveWP plugin is “vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the ‘give_title’ parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files.”
The vulnerability researcher István Márton’s post has more technical details about GiveWP’s vulnerability. Wordfence contacted StellarWP and later WordPress.org Security Team and finally, a patch was released in version 3.14.2 of the GiveWP plugin on August 7, 2024.
Wordfence launched the Bug Bounty Program in November 2023 to reward researchers for finding vulnerabilities and disclosing them privately.
