CVE-2024-37099 – CVE-2024-37099 is an unauthenticated PHP object... (How to Fix)

Q: What is the severity of CVE-2024-37099?

CVE-2024-37099 has a CVSS score of 10.0 (CRITICAL). CVE-2024-37099 is an unauthenticated PHP object injection vulnerability in the GiveWP WordPress plugin. Attackers can exploit deserialization of untrusted data to execute arbitrary code on affected WordPress sites. All WordPress installations using GiveWP versions up to 3.14.1 are vulnerable.

📋 TL;DR

CVE-2024-37099 is an unauthenticated PHP object injection vulnerability in the GiveWP WordPress plugin. Attackers can exploit deserialization of untrusted data to execute arbitrary code on affected WordPress sites. All WordPress installations using GiveWP versions up to 3.14.1 are vulnerable.

💻 Affected Systems

Products:

WordPress GiveWP Plugin

Versions: n/a through 3.14.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with vulnerable GiveWP versions are affected regardless of configuration.

📦 What is this software?

Givewp by Givewp

View all CVEs affecting Givewp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, ransomware deployment, website defacement, and lateral movement to other systems.

🟠

Likely Case

Website takeover, backdoor installation, data exfiltration, and cryptocurrency mining malware deployment.

🟢

If Mitigated

Limited impact if proper web application firewalls and intrusion detection systems block exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available and requires no authentication, making this easily weaponizable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.14.2 and later

Vendor Advisory: https://wordpress.org/plugins/give/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find GiveWP and click 'Update Now'. 4. Verify version is 3.14.2 or higher.

🔧 Temporary Workarounds

Disable GiveWP Plugin

all

Temporarily disable the vulnerable plugin until patching is possible.

wp plugin deactivate give

Web Application Firewall Rule

all

Block malicious requests targeting the vulnerable endpoint.

# Add WAF rule to block requests containing suspicious deserialization patterns

🧯 If You Can't Patch

Implement strict network segmentation to isolate WordPress servers
Deploy web application firewall with rules blocking PHP object injection patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → GiveWP version. If version is 3.14.1 or lower, system is vulnerable.

Check Version:

wp plugin list --name=give --field=version

Verify Fix Applied:

Verify GiveWP version is 3.14.2 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to GiveWP endpoints
PHP error logs containing unserialize() warnings
Web server logs showing exploitation patterns

Network Indicators:

HTTP requests containing serialized PHP objects
Traffic spikes to GiveWP plugin endpoints

SIEM Query:

source="web_logs" AND (uri_path="*give*" OR user_agent="*GiveWP*") AND (http_method="POST" AND size_bytes>1000)

📊 Metadata

CVE ID: CVE-2024-37099

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-502

Published: August 19, 2024

Last Updated: February 28, 2025

🔗 References

https://patchstack.com/database/vulnerability/give/wordpress-givewp-plugin-3-14-1-unauthenticated-php-object-injection-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37099, you might also want to check these: