WordPress Plugin Vulnerabilities

GiveWP < 3.19.4 - Unauthenticated PHP Object Injection

Description

The plugin is vulnerable to PHP Object Injection via deserialization of untrusted input from the donation form through the 'company' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files on the server that makes remote code execution possible. Please note this covers a bypass to the fix for CVE-2024-12877.

Affects Plugins

Plugin icon
give
Fixed in 3.19.4

References

CVE
CVE-2025-22777
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/06a7ff0b-ec6b-490c-9bb0-fbb5c1c337c4

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
8.1 (high)

Miscellaneous

Original Researcher
Edisc
Verified
No
WPVDB ID
82afc2f7-948b-495e-8ec2-4cd7bbfe1c61

Timeline

Publicly Published
2025-01-10 (about 1 year ago)
Added
2025-01-13 (about 1 year ago)
Last Updated
2025-01-13 (about 1 year ago)

Other

Published
Title
Published
2025-05-20
Title
ZoomSounds <= 6.91 - Unauthenticated PHP Object Injection
Published
2025-02-27
Title
WP Activity Log < 5.3.3 - Authenticated (Admin+) PHP Object Injection
Published
2025-08-19
Title
BugsPatrol <= 1.5.0 - Unauthenticated PHP Object Injection
Published
2024-01-05
Title
WooCommerce Tranzila Gateway <= 1.0.8 - Unauthenticated PHP Object Injection
Published
2021-08-02
Title
Bold Page Builder < 3.1.6 - PHP Object Injection