CVE-2024-12877
Published: 11 January 2025
Summary
CVE-2024-12877 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Givewp Givewp. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 3.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation of the deserialization vulnerability through patching the GiveWP plugin to version 3.19.4 or later.
Prevents PHP object injection by enforcing validation and sanitization of untrusted inputs like the 'firstName' donation form field prior to deserialization.
Enables identification of the vulnerable GiveWP plugin versions through regular vulnerability scanning, allowing proactive patching before exploitation.
NVD Description
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.2 via deserialization of untrusted input from the donation form like 'firstName'. This makes it possible…
more
for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files on the server that makes remote code execution possible. Please note this was only partially patched in 3.19.3, a fully sufficient patch was not released until 3.19.4. However, another CVE was assigned by another CNA for version 3.19.3 so we will leave this as affecting 3.19.2 and before. We have recommended the vendor use JSON encoding to prevent any further deserialization vulnerabilities from being present.
Deeper analysisAI
CVE-2024-12877 is a PHP Object Injection vulnerability (CWE-502) in the GiveWP – Donation Plugin and Fundraising Platform for WordPress, affecting all versions up to and including 3.19.2. The flaw arises from deserialization of untrusted input, such as the 'firstName' field from the donation form, allowing attackers to inject a PHP Object. This critical issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity. By injecting a malicious PHP Object, they can leverage a present POP (Property-Oriented Programming) chain to delete arbitrary files on the server, ultimately enabling remote code execution (RCE).
The vulnerability was partially patched in version 3.19.3, as detailed in the plugin's WordPress trac changeset (https://plugins.trac.wordpress.org/changeset/3212723/give/tags/3.19.3/src/Helpers/Utils.php), but a fully sufficient fix was not available until 3.19.4. Another CVE was assigned by a different CNA for the residual issue in 3.19.3. Wordfence advisories (https://www.wordfence.com/threat-intel/vulnerabilities/id/b2143edf-5423-4e79-8638-a5b98490d292?source=cve) recommend updating to 3.19.4 or later, with guidance for the vendor to use JSON encoding to prevent future deserialization vulnerabilities.
Details
- CWE(s)