17.8 C
New York
Sunday, September 8, 2024

GiveWP Plugin Vulnerability Risked 100,000+ Web sites To RCE


A severe code execution vulnerability compromised the safety of the GiveWP WordPress plugin, risking hundreds of internet sites. Customers operating this plugin should replace their websites with the most recent plugin launch to obtain the patch.

GiveWP Plugin Vulnerability Allowed Distant Code Execution

As elaborated in a current publish from Wordfence, a crucial code execution vulnerability existed within the GiveWP plugin. GiveWP is a identified WordPress plugin that facilitates customers with useful options for swift donations and fundraising actions. Nevertheless, boasting over 100,000 lively installations, the plugin additionally dangers hundreds of WordPress websites globally to cyber threats because of the vulnerability.

Particularly, the vulnerability is a PHP Object Injection challenge that affected all GiveWP plugin variations till v.3.14.1. It existed as a result of “deserialization of untrusted enter from the ‘give_title‘ parameter.” Exploiting this vulnerability allowed an unauthenticated adversary to inject a malicious PHP object. Furthermore, the presence of the POP chain additionally permitted the adversary to carry out varied malicious actions, equivalent to executing malicious codes remotely or deleting arbitrary recordsdata.

This vulnerability, CVE-2024-5932, acquired a crucial severity ranking with a CVSS rating of 10.0. It’s the most severity rating that, when assigned to a vulnerability, signifies the very best menace degree for the flaw, probably inflicting large injury to the sufferer customers following an exploit.

Patch Deployed – Replace Asap!

This vulnerability first caught the eye of the safety researcher Villu Orav (villu164), who responsibly disclosed it by way of Wordfence’s bug bounty program.

In response to his report, the GiveWP group patched the flaw with plugin model 3.14.2, launched earlier this month. Wordfence rewarded the researcher with a $4998 bug bounty for this report.

The plugin’s official WordPress web page lists model 3.15.1 as the most recent launch. Therefore, customers ought to ideally replace their web sites with this plugin model to obtain all safety fixes and have enhancements.

Tell us your ideas within the feedback.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles