admin/GobyVuls
1
0
Fork 0
mirror of https://github.com/gobysec/GobyVuls.git synced 2025-05-05 10:16:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Create CVE-2024-8353 GiveWP WordPress Plugin admin-ajax.php Command Execution Vulnerability.md

Browse Source
This commit is contained in:
Goby 2024-10-11 19:59:30 +08:00 committed by GitHub
parent 2c2edfc907
commit 3139a30f58
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
CVE-2024-8353 GiveWP WordPress Plugin admin-ajax.php Command Execution Vulnerability.md Normal file
View File

@ -0,0 +1,13 @@
# CVE-2024-8353 GiveWP WordPress Plugin admin-ajax.php Command Execution Vulnerability
GiveWP is a very popular WordPress plugin designed for non-profit organizations and individuals to accept online donations.
A PHP object injection vulnerability exists in the GiveWP Donation Plugin and Fundraising Platform Plugin for WordPress, affecting all versions up to and including version 3.16.1. The vulnerability is generated by deserializing several parameters (such as 'give_title' and 'card_address') of untrustworthy input. This allows an unauthenticated attacker to inject PHP objects. In addition, the presence of a POP chain allows an attacker to delete arbitrary files and enable remote code execution.
**Affected version**: affecting all versions up to and including version 3.16.1
**[FOFA] query rule**: body="/wp-content/plugins/give/" && body="wp-includes"
dowland goby: https://gobysec.net/#dl
![](https://s3.bmp.ovh/imgs/2024/10/11/c4f2085c1fcb37c8.gif)