WordPress Plugin Vulnerabilities

GiveWP < 3.16.4 - Unauthenticated PHP Object Injection to Remote Code Execution

Description

The plugin is vulnerable to PHP Object Injection via deserialization of untrusted input from the give_company_name parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.

Affects Plugins

Plugin icon
give
Fixed in 3.16.4

References

CVE
CVE-2024-9634
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b8eb3aa9-fe60-48b6-aa24-7873dd68b47e

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
lefab
Verified
No
WPVDB ID
793bdc97-69eb-43c3-aab0-c86a76285f36

Timeline

Publicly Published
2024-10-15 (about 1 year ago)
Added
2024-10-15 (about 1 year ago)
Last Updated
2024-10-15 (about 1 year ago)

Other

Published
Title
Published
2025-01-07
Title
WC Price History for Omnibus < 2.1.5 - Authenticated (Shop manager+) PHP Object Injection
Published
2026-04-08
Title
Töbel - Modern Furniture Store WordPress Theme < 1.9 - Unauthenticated PHP Object Injection
Published
2024-10-14
Title
TAKETIN To WP Membership <= 2.8.17 - Subscriber+ PHP Object Injection
Published
2024-11-15
Title
Lis Video Gallery <= 0.2.1 - Unauthenticated PHP Object Injection
Published
2025-04-09
Title
Accordion < 2.3.12 - Contributor+ PHP Object Injection