CVE-2024-12877

CRITICAL EXPLOITED

GiveWP <= 3.19.2 - Unauthenticated PHP Object Injection via Donation Form

Title source: llm

Exploitation Summary

CVE-2024-12877 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including soltanali0, RandomRobbieBF.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2024-12877, a PHP Object Injection vulnerability in GiveWP, including root cause analysis, regex validation bypass techniques, and exploitation steps. It demonstrates how unsafe use of `unserialize()` can lead to RCE.

Description

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.2 via deserialization of untrusted input from the donation form like 'firstName'. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files on the server that makes remote code execution possible. Please note this was only partially patched in 3.19.3, a fully sufficient patch was not released until 3.19.4. However, another CVE was assigned by another CNA for version 3.19.3 so we will leave this as affecting 3.19.2 and before. We have recommended the vendor use JSON encoding to prevent any further deserialization vulnerabilities from being present.

Exploits (2)

nomisec WRITEUP 1 stars

by soltanali0 · remote

https://github.com/soltanali0/CVE-2024-12877-Exploit

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2024-12877, a PHP Object Injection vulnerability in GiveWP, including root cause analysis, regex validation bypass techniques, and exploitation steps. It demonstrates how unsafe use of `unserialize()` can lead to RCE.

Classification

Writeup 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: GiveWP (WordPress donation plugin)

No auth needed

Prerequisites: Access to a vulnerable GiveWP installation · Ability to send crafted serialized payloads

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by RandomRobbieBF · infoleak

https://github.com/RandomRobbieBF/CVE-2024-12877

View Code ZIP pw:eip

This repository contains a functional proof-of-concept for CVE-2024-12877, demonstrating an unauthenticated PHP object injection vulnerability in GiveWP <= 3.19.2. The exploit leverages deserialization of untrusted input via the donation form, potentially leading to arbitrary file deletion and remote code execution.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: GiveWP – Donation Plugin and Fundraising Platform <= 3.19.2

No auth needed

Prerequisites: Access to the target WordPress site with GiveWP plugin installed and vulnerable version active

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Patch

https://plugins.trac.wordpress.org/changeset/3212723/give/tags/3.19.3/src/Helpers/Utils.php

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/b2143edf-5423-4e79-8638-a5b98490d292?source=cve

Scores

CVSS v3 9.8

EPSS 0.3342

EPSS Percentile 97.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2026-02-03

CWE

CWE-502

Status published

Products (2)

givewp/givewp < 3.19.2

stellarwp/GiveWP – Donation Plugin and Fundraising Platform < 3.19.2

Published Jan 11, 2025

Tracked Since Feb 18, 2026