CVE-2024-12877

CVE-2024-12877 is a PHP Object Injection vulnerability (CWE-502) in the GiveWP – Donation Plugin and Fundraising Platform for WordPress, affecting all versions up to and including 3.19.2. The flaw arises from deserialization of untrusted input, such as the 'firstName' field from the donation form, allowing attackers to inject a PHP Object. This critical issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity. By injecting a malicious PHP Object, they can leverage a present POP (Property-Oriented Programming) chain to delete arbitrary files on the server, ultimately enabling remote code execution (RCE).

The vulnerability was partially patched in version 3.19.3, as detailed in the plugin's WordPress trac changeset (https://plugins.trac.wordpress.org/changeset/3212723/give/tags/3.19.3/src/Helpers/Utils.php), but a fully sufficient fix was not available until 3.19.4. Another CVE was assigned by a different CNA for the residual issue in 3.19.3. Wordfence advisories (https://www.wordfence.com/threat-intel/vulnerabilities/id/b2143edf-5423-4e79-8638-a5b98490d292?source=cve) recommend updating to 3.19.4 or later, with guidance for the vendor to use JSON encoding to prevent future deserialization vulnerabilities.