- Description
- The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files.
- Source
- security@wordfence.com
- NVD status
- Analyzed
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- Hype score
- Not currently trending
10万サイト以上が使用しているWordPressのプラグインGiveWPに重大(Critical)な脆弱性。CVE-2025-22777はCVSSスコア9.8で、認証不要のPHPオブジェクトインジェクション。データベース内の安全でないメタデータをデシリアライズできることに起因。CVE-2024-5932の修正不足。 https://t.co/3B6ehsbiEm
@__kokumoto
12 Jan 2025
1534 Impressions
2 Retweets
12 Likes
1 Bookmark
1 Reply
1 Quote
CVE-2024-5932 這個是wordpress的一個叫做GiveWP Donation的插件 (用來捐錢的嗎?) 只簡單搜尋了有安裝v3.14.2版的機器 https://t.co/Le6Qflorv3
@annpigpigpig
12 Jan 2025
42 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:givewp:givewp:*:*:*:*:*:wordpress:*:*",
"vulnerable": true,
"matchCriteriaId": "8EA945D4-1072-4526-9329-DAB413CB26F6",
"versionEndExcluding": "3.14.2"
}
],
"operator": "OR"
}
]
}
]