Login Sign Up

CVE-2024-47315

5.4 MEDIUM
CSRF

📋 TL;DR

A Cross-Site Request Forgery (CSRF) vulnerability in the GiveWP WordPress plugin allows attackers to trick authenticated administrators into performing unintended actions. This affects all GiveWP installations from unknown versions through 3.15.1. The vulnerability enables attackers to perform actions on behalf of logged-in users without their consent.

💻 Affected Systems

Products:
  • GiveWP WordPress Plugin
Versions: n/a through 3.15.1
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: All WordPress installations using vulnerable GiveWP versions are affected regardless of configuration.

📦 What is this software?

Givewp by Givewp

View all CVEs affecting Givewp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify donation settings, change payment configurations, or alter plugin behavior leading to financial loss or data exposure.

🟠

Likely Case

Attackers could change donation form settings, modify fundraising goals, or alter plugin configurations.

🟢

If Mitigated

With proper CSRF protections and user awareness, the risk is significantly reduced as exploitation requires user interaction.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires tricking authenticated users into clicking malicious links or visiting compromised sites.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.15.2 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/give/wordpress-givewp-donation-plugin-and-fundraising-platform-plugin-3-15-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find GiveWP and click 'Update Now'. 4. Verify update completes successfully.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add custom CSRF protection to GiveWP forms using WordPress nonces

Requires custom WordPress development - no single command

Restrict Admin Access

all

Limit administrative access to trusted networks only

Use WordPress security plugins or .htaccess rules to restrict /wp-admin access

🧯 If You Can't Patch

  • Disable GiveWP plugin temporarily if not critical
  • Implement strict SameSite cookie policies and Content Security Policy headers

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins → GiveWP version

Check Version:

wp plugin list --name=give --field=version (if WP-CLI installed)

Verify Fix Applied:

Verify GiveWP version is 3.15.2 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to GiveWP admin endpoints without referrer validation
  • Multiple failed CSRF token validations in WordPress debug logs

Network Indicators:

  • External domains making requests to /wp-admin/admin-ajax.php with GiveWP actions
  • Suspicious referrer headers in GiveWP-related requests

SIEM Query:

source="wordpress.log" AND ("givewp" OR "give_") AND ("csrf" OR "nonce" OR "referer")

📊 Metadata

CVE ID: CVE-2024-47315
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
CWE: CWE-352
Published: September 25, 2024
Last Updated: September 30, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-47315, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)