CVE-2024-8353
GiveWP – Donation Plugin and Fundraising Platform <= 3.16.1 - Unauthenticated PHP Object InjectionThe GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like 'give_title' and 'card_address'. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files and achieve remote code execution. This is essentially the same vulnerability as CVE-2024-5932, however, it was discovered the the presence of stripslashes_deep on user_info allows the is_serialized check to be bypassed. This issue was mostly patched in 3.16.1, but further hardening was added in 3.16.2.
We have discovered 14,628 live websites that are affected by CVE-2024-8353.
Affected Software
| Product |  GiveWP |
| Category | Wordpress Plugins |
| Vulnerable Domains | 14,628 live websites (40.12% of GiveWP install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 216 versions ( 91.14% of all versions) |
Common Weakness Enumeration
CWE-502 Deserialization of Untrusted DataDetails
- Published - Sep 28, 2024
- Updated - Sep 30, 2024
Credits
- cuokon (finder)
CWE
CVE References
CWE References
CVE-2024-8353 usage by Country
 United States | 7,561 websites |
 Germany | 1,421 websites |
 France | 762 websites |
 GB | 691 websites |
 Cyprus | 409 websites |
 Italy | 344 websites |
 Canada | 283 websites |
 Australia | 228 websites |
 Spain | 207 websites |
 South Africa | 174 websites |
CVE-2024-8353 usage by TLD
| .org | 6,114 websites |
| .com | 3,721 websites |
| .de | 360 websites |
| .it | 285 websites |
| .net | 252 websites |
| .ca | 237 websites |
| .org.uk | 228 websites |
| .fr | 213 websites |
| .co.uk | 190 websites |
| .nl | 126 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-8353
Top websites that are affected by CVE-2024-8353. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *************.sk | United States | **,*** | |
| ****.info | United States | **,*** | |
| *****.org | United States | **,*** | |
| ********.org | United States | **,*** | |
| *********.org | United States | **,*** | |
| ************.org | United States | **,*** | |
| ****************.org | Germany | **,*** | |
| *******.org | United States | **,*** | |
| **************.com | Australia | **,*** | |
| ****.org | United States | **,*** |
FAQ
CVE-2024-8353 is Deserialization of Untrusted Data in GiveWP
A total of 14,628 websites have been identified as vulnerable to CVE-2024-8353, discovered through global website indexing conducted by WebTechSurvey.
GiveWP is susceptible to CVE-2024-8353 vulnerability.
GiveWP versions before, and including, 3.16.1 are vulnerable to CVE-2024-8353.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c4c530fa-eaf4-4721-bfb6-9fc06d7f343c?source=cve
- https://plugins.trac.wordpress.org/browser/give/tags/3.16.0/includes/process-donation.php#L154
- https://plugins.trac.wordpress.org/changeset/3149290/give/tags/3.16.1/includes/process-donation.php
- https://plugins.trac.wordpress.org/changeset/3149290/give/tags/3.16.1/includes/admin/admin-actions.php
- https://plugins.trac.wordpress.org/changeset/3149290/give/tags/3.16.1/src/Helpers/Utils.php
- https://plugins.trac.wordpress.org/changeset/3157829/give/tags/3.16.2/includes/process-donation.php