CVE-2024-9634
Deserialization of Untrusted Data (CWE-502)
Published: Oct 16, 2024 / Updated: 35d ago

010

CVSS 9.8EPSS 0.06%Critical

CVE info copied to clipboard

Summary

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.3. This vulnerability is due to the deserialization of untrusted input from the give_company_name parameter. It allows unauthenticated attackers to inject a PHP Object, which, combined with the presence of a POP chain, can lead to remote code execution.

Impact

This vulnerability has a severe impact on affected WordPress installations using the GiveWP plugin. Unauthenticated attackers can potentially execute arbitrary code remotely on the target system. This could lead to complete compromise of the affected WordPress site, including unauthorized access to sensitive data, modification of website content, and potential use of the compromised site as a pivot point for further attacks. The vulnerability affects the confidentiality, integrity, and availability of the system, all rated as "HIGH" impact according to the CVSS score.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is not explicitly mentioned in the provided data. However, given that the vulnerability affects "all versions up to, and including, 3.16.3" of the GiveWP plugin, it is likely that a patched version (3.16.4 or later) has been or will be released to address this vulnerability. Users should check for and apply the latest update as soon as it becomes available.

Mitigation

1. Update the GiveWP plugin to a version newer than 3.16.3 as soon as a patched version is available. 2. If an immediate update is not possible, consider temporarily disabling the GiveWP plugin until it can be updated. 3. Implement strong input validation and sanitization for the 'give_company_name' parameter to prevent deserialization of untrusted data. 4. Use Web Application Firewall (WAF) rules to filter out potentially malicious inputs targeting this vulnerability. 5. Monitor WordPress and plugin logs for any suspicious activity related to the GiveWP plugin. 6. Regularly update all WordPress plugins, themes, and core installations to minimize exposure to known vulnerabilities.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9634. See article

Oct 16, 2024 at 1:55 AM / Cybersecurity News

CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 16, 2024 at 1:55 AM

CVE Assignment

NVD published the first details for CVE-2024-9634

Oct 16, 2024 at 2:15 AM

CVSS

A CVSS base score of 9.8 has been assigned.

Oct 16, 2024 at 2:20 AM / nvd

EPSS

EPSS Score was set to: 0.06% (Percentile: 28.3%)

Oct 16, 2024 at 9:58 AM

Threat Intelligence Report

CVE-2024-9634 is a critical PHP Object Injection vulnerability in the GiveWP Donation Plugin, with a CVSS score of 9.8, affecting all versions up to and including 3.16.3. To mitigate this vulnerability, it is strongly recommended that all websites using the affected plugin update to version 3.16.4 or later. There is no information provided regarding exploitation in the wild, proof-of-concept exploits, or downstream impacts on other third-party vendors or technology. See article

Oct 16, 2024 at 11:07 AM

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (731845)

Oct 17, 2024 at 7:15 AM

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (152311)

Oct 17, 2024 at 7:53 AM