WordPress

Critical Vulnerability Patched in GiveWP Plugin – WP Tavern

GiveWP, a preferred donation plugin for WordPress, has patched an unauthenticated PHP Object Injection to Distant Code Execution vulnerability that may very well be exploited to execute arbitrary code remotely and delete recordsdata. This plugin from the Liquid Net household of merchandise has 100k+ energetic installs. 

villu164 (Villu Orav) reported the vulnerability via the Wordfence Bug Bounty Program and netted a bounty of $4,998.00. The researchers have categorized it as a “Essential” concern, with a CVSS rating of 10.0, and strongly advocate updating to the newest model. 

Wordfence shared that the GiveWP plugin is “weak to PHP Object Injection in all variations as much as, and together with, 3.14.1 through deserialization of untrusted enter from the ‘give_title’ parameter. This makes it potential for unauthenticated attackers to inject a PHP Object. The extra presence of a POP chain permits attackers to execute code remotely, and to delete arbitrary recordsdata.” 

The vulnerability researcher István Márton’s post has extra technical particulars about GiveWP’s vulnerability. Wordfence contacted StellarWP and later WordPress.org Safety Staff and at last, a patch was launched in model 3.14.2 of the GiveWP plugin on August 7, 2024. 

Wordfence launched the Bug Bounty Program in November 2023 to reward researchers for locating vulnerabilities and disclosing them privately. 

Leave a Reply

Your email address will not be published. Required fields are marked *