CVSS: 10.0EPSS: 9%CPEs: 1EXPL: 0CVE-2024-12877 – GiveWP – Donation Plugin and Fundraising Platform <= 3.19.2 - Unauthenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2024-12877
10 Jan 2025 — The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.2 via deserialization of untrusted input from the donation form like 'firstName'. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files on the server that makes remote code execution possible. Please note this was only partially patched in 3.19.3, a f... • https://plugins.trac.wordpress.org/changeset/3212723/give/tags/3.19.3/src/Helpers/Utils.php • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 12%CPEs: 1EXPL: 0CVE-2024-9634 – GiveWP – Donation Plugin and Fundraising Platform <= 3.16.3 - Unauthenticated PHP Object Injection to Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-9634
15 Oct 2024 — The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.3 via deserialization of untrusted input from the give_company_name parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution. • https://plugins.trac.wordpress.org/browser/give/tags/3.16.2/src/Donations/Repositories/DonationRepository.php?rev=3157829 • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 61%CPEs: 1EXPL: 3CVE-2024-8353 – GiveWP – Donation Plugin and Fundraising Platform <= 3.16.1 - Unauthenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2024-8353
27 Sep 2024 — The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like 'give_title' and 'card_address'. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files and achieve remote code execution. This is essentially the same vulnerability as CVE-2024-5932,... • https://packetstorm.news/files/id/183149 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9130 – GiveWP – Donation Plugin and Fundraising Platform <= 3.16.1 - Authenticated (GiveWP Manager+) SQL Injection via order Parameter
https://notcve.org/view.php?id=CVE-2024-9130
26 Sep 2024 — The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter in all versions up to, and including, 3.16.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with GiveWP Manager-level access and above, to append additional SQL queries into already existing queries within the Legacy View mode, that can be us... • https://givewp.com/documentation/core/give-user-roles • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6551 – GiveWP <= 3.15.1 - Unauthenticated Full Path Disclosure
https://notcve.org/view.php?id=CVE-2024-6551
28 Aug 2024 — The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.15.1. This is due to the plugin utilizing Symfony and leaving display_errors on within test files. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an... • https://plugins.trac.wordpress.org/browser/give/tags/3.15.1/vendor/vendor-prefixed/symfony/http-foundation/Tests/Fixtures/response-functional/common.inc#L23 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 94%CPEs: 1EXPL: 5CVE-2024-5932 – GiveWP – Donation Plugin and Fundraising Platform <= 3.14.1 - Unauthenticated PHP Object Injection to Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-5932
19 Aug 2024 — The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files. The GiveWP Donation plugin and Fundraising Platform plugin for WordPress in all versions up ... • https://packetstorm.news/files/id/180421 • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5939 – GiveWP – Donation Plugin and Fundraising Platform <= 3.13.0 - Missing Authorization to Limited Information Exposure
https://notcve.org/view.php?id=CVE-2024-5939
19 Aug 2024 — The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'setup_wizard' function in all versions up to, and including, 3.13.0. This makes it possible for unauthenticated attackers to read the setup wizard administrative pages. • https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/src/Onboarding/Wizard/Page.php#L78 • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5940 – GiveWP – Donation Plugin and Fundraising Platform <= 3.13.0 - Missing Authorization to Unauthenticated Event Settings Update
https://notcve.org/view.php?id=CVE-2024-5940
19 Aug 2024 — The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_request' function in all versions up to, and including, 3.13.0. This makes it possible for unauthenticated attackers to edit event ticket settings if the Events beta feature is enabled. • https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/src/EventTickets/Routes/UpdateEvent.php#L81 • CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5941 – GiveWP – Donation Plugin and Fundraising Platform <= 3.14.1 - Missing Authorization to Authenticated (Subscriber+) Limited File Deletion
https://notcve.org/view.php?id=CVE-2024-5941
19 Aug 2024 — The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access and deletion of data due to a missing capability check on the 'handle_request' function in all versions up to, and including, 3.14.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read attachment paths and delete attachment files. • https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/src/DonorDashboards/Tabs/EditProfileTab/AvatarRoute.php#L36 • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3714 – GiveWP – Donation Plugin and Fundraising Platform <= 3.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-3714
17 May 2024 — The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'give_form' shortcode when used with a legacy form in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected pa... • https://plugins.trac.wordpress.org/changeset/3083390/give/tags/3.11.0/includes/class-give-donate-form.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •