PHP Object Injection in GiveWP WordPress Plugin
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions through 3.16.1 due to deserialization of untrusted input from user-controlled parameters, including values such as 'give_title' and 'card_address'. The issue is reachable by unauthenticated attackers. According to the provided content, the vulnerability is effectively a variant of CVE-2024-5932: although prior fixes attempted to block serialized input, the presence of stripslashes_deep on user_info allowed the is_serialized check to be bypassed. Successful exploitation permits injection of attacker-controlled PHP objects, and where a suitable POP chain is present, this can be leveraged to delete arbitrary files and achieve remote code execution. The issue was mostly patched in 3.16.1, with additional hardening added in 3.16.2.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.
This repository provides a working exploit for CVE-2024-8353, a PHP Object Injection vulnerability in the GiveWP plugin for WordPress (versions up to and including 3.16.1). The exploit consists of two main scripts: - 'exploit.py': A Python script that automates the exploitation process. It identifies available forms on the target WordPress site, retrieves required nonces, and delivers a serialized PHP payload to the vulnerable endpoint. The script allows the attacker to specify an arbitrary shell command to execute on the target server. - 'payload.php': A PHP script that constructs a serialized object chain designed to trigger code execution when deserialized by the vulnerable plugin. The default payload demonstrates file creation (touch /tmp/exploit_test), but the Python script can be used to specify other commands. The exploit targets the '/wp-admin/admin-ajax.php' endpoint, using the 'form_search', 'form_nonce', and 'process_form' actions to interact with the GiveWP plugin. The attack vector is network-based, requiring only access to the target's web interface. The repository is well-structured, with clear separation between the exploit logic (Python) and the payload construction (PHP). The README provides detailed usage instructions and context about the vulnerability.
This repository provides a working exploit for CVE-2024-8353, a critical unauthenticated PHP Object Injection vulnerability in the GiveWP donation plugin for WordPress (versions up to 3.16.1). The exploit consists of a Python script (CVE-2024-8353.py) that crafts a serialized PHP object payload and submits it via a POST request to the vulnerable GiveWP donation form endpoint (/wp-admin/admin-ajax.php). The payload leverages a PHP POP chain to achieve remote code execution (RCE) by invoking shell_exec with attacker-controlled input. The included PoC.php file demonstrates the PHP object structure and serialization process used in the attack. The README.md provides detailed usage instructions, environment setup, and technical analysis of the vulnerability and exploitation process. The exploit is operational and allows unauthenticated attackers to execute arbitrary commands on affected WordPress installations. The repository is structured with clear entry points (CVE-2024-8353.py for exploitation, PoC.php for payload generation/testing), and includes all necessary dependencies in requirements.txt.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote code execution vulnerability in GiveWP, referenced as a Metasploit module PR for a bypass.
Unknown (only referenced as a related-post headline about a critical GiveWP flaw).
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.