CVE-2024-8353
CRITICAL EXPLOITED NUCLEIGiveWP Unauthenticated Donation Process Exploit
Title source: metasploitDescription
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like 'give_title' and 'card_address'. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files and achieve remote code execution. This is essentially the same vulnerability as CVE-2024-5932, however, it was discovered the the presence of stripslashes_deep on user_info allows the is_serialized check to be bypassed. This issue was mostly patched in 3.16.1, but further hardening was added in 3.16.2.
Exploits (3)
metasploit
WORKING POC
EXCELLENT
by Villu Orav, EQSTLab, cuokon, Julien Ahrens, Valentin Lobstein · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wp_givewp_rce.rb
Nuclei Templates (1)
GiveWP Donation Plugin <= 3.16.1 - Unauthenticated PHP Object Injection
CRITICALVERIFIEDby hnd3884
Shodan:
http.html:"/wp-content/plugins/give/"
FOFA:
body="/wp-content/plugins/give/"
References (6)
Core 6
Core References
Product
https://plugins.trac.wordpress.org/browser/give/tags/3.16.0/includes/process-donation.php#L154
Patch
https://plugins.trac.wordpress.org/changeset/3149290/give/tags/3.16.1/includes/process-donation.php
Scores
CVSS v3
9.8
EPSS
0.9187
EPSS Percentile
99.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
VulnCheck KEV
2025-03-27
CWE
CWE-502
Status
published
Products (2)
givewp/givewp
< 3.16.2
stellarwp/GiveWP – Donation Plugin and Fundraising Platform
< 3.16.1
Published
Sep 28, 2024
Tracked Since
Feb 18, 2026