GiveWP – Donation Plugin and Fundraising Platform < 3.14.0 – Insecure Direct Object Reference to Authenticated (GiveWP Worker+) Arbitrary Post Actions | CVE 2024-5977 | Plugin Vulnerabilities

Description

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.13.0 via the 'handleRequest' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with GiveWP Worker-level access and above, to delete and update arbitrary posts.

Affects Plugins

Fixed in 3.14.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/2dca6c29-9f05-4d82-90e3-834f1dd8005a

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Thanh Nam Tran

Verified

No

WPVDB ID

93bd3c18-1fcd-4590-b943-bcd1c85499a9

Timeline

Publicly Published

2024-07-18 (about 1 year ago)

Added

2024-07-18 (about 1 year ago)

Last Updated

2024-07-19 (about 1 year ago)

Other

Published

Title

Published

2025-12-03

Title

Post Grid and Gutenberg Blocks <= 2.3.19 - Unauthenticated Insecure Direct Object Reference

Published

2022-12-07

Title

BookingPress < 1.0.31 - Unauthenticated IDOR in appointment_id

Published

2024-12-02

Title

Charity Addon for Elementor <= 1.3.3 - Authenticated (Contributor+) Post Disclosure

Published

2025-04-01

Title

User Registration & Membership (Free < 4.1.3, Pro < 5.1.3) - Authentication Bypass

Published

2026-01-07

Title

Image Slider Slideshow <= 1.8 - Authenticated (Contributor+) Insecure Direct Object Reference