CVE-2024-8353
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform PHP object injection in the GiveWP WordPress plugin, leading to arbitrary file deletion and remote code execution. All WordPress sites using GiveWP versions up to 3.16.1 are affected. The vulnerability stems from insecure deserialization of user-controlled input in donation processing parameters.
💻 Affected Systems
- GiveWP - Donation Plugin and Fundraising Platform for WordPress
📦 What is this software?
Givewp by Givewp
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise including remote code execution, data theft, and website defacement
Likely Case
Arbitrary file deletion leading to site disruption and potential privilege escalation to RCE
If Mitigated
Limited impact with proper input validation and file permissions in place
🎯 Exploit Status
Exploitation is straightforward due to unauthenticated access and known POP chain
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.16.2
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3157829/give/tags/3.16.2/includes/process-donation.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find GiveWP plugin
4. Click 'Update Now' if available
5. If no update available, download version 3.16.2+ from WordPress.org
6. Deactivate old plugin, upload new version, activate
🔧 Temporary Workarounds
Disable GiveWP Plugin
allTemporarily disable the vulnerable plugin until patching is possible
wp plugin deactivate give
Web Application Firewall Rule
allBlock requests containing serialized PHP objects in donation parameters
ModSecurity rule: SecRule ARGS "@rx O:[0-9]+:" "id:1001,phase:2,deny,msg:'PHP Object Injection Attempt'"
Cloudflare WAF: Create rule to block requests with 'give_title' or 'card_address' containing serialized data
🧯 If You Can't Patch
- Disable the GiveWP plugin immediately
- Implement strict input validation at the web server level to block serialized data
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for GiveWP version. If version is 3.16.1 or lower, you are vulnerable.Check Version:
wp plugin list --name=give --field=versionVerify Fix Applied:
Verify GiveWP plugin version is 3.16.2 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with 'give_title' or 'card_address' parameters containing serialized data
- Unexpected file deletion events in WordPress uploads directory
- PHP errors related to unserialize() or object injection
Network Indicators:
- HTTP requests with serialized PHP objects in donation form parameters
- Unusual outbound connections from WordPress server post-exploitation
SIEM Query:
source="wordpress.log" AND ("give_title" OR "card_address") AND ("O:" OR "a:" OR "s:" OR "i:" OR "d:")🔗 References
- https://plugins.trac.wordpress.org/browser/give/tags/3.16.0/includes/process-donation.php#L154
- https://plugins.trac.wordpress.org/changeset/3149290/give/tags/3.16.1/includes/admin/admin-actions.php
- https://plugins.trac.wordpress.org/changeset/3149290/give/tags/3.16.1/includes/process-donation.php
- https://plugins.trac.wordpress.org/changeset/3149290/give/tags/3.16.1/src/Helpers/Utils.php
- https://plugins.trac.wordpress.org/changeset/3157829/give/tags/3.16.2/includes/process-donation.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c4c530fa-eaf4-4721-bfb6-9fc06d7f343c?source=cve
