CVE-2024-12877: GiveWP WordPress Plugin RCE Vulnerability

CVE-2024-12877 Overview

CVE-2024-12877 is a PHP Object Injection vulnerability in the GiveWP – Donation Plugin and Fundraising Platform for WordPress. The flaw affects all versions up to and including 3.19.2. The plugin deserializes untrusted input submitted through donation form fields such as firstName, enabling unauthenticated attackers to inject arbitrary PHP objects. A property-oriented programming (POP) chain available in the codebase allows attackers to delete arbitrary files on the server, which can lead to remote code execution. The issue maps to [CWE-502] Deserialization of Untrusted Data.

Critical Impact

Unauthenticated remote attackers can trigger arbitrary file deletion and achieve remote code execution on WordPress sites running vulnerable GiveWP installations.

Affected Products

• GiveWP – Donation Plugin and Fundraising Platform for WordPress, all versions through 3.19.2
• GiveWP version 3.19.3 (partial patch only; tracked under a separate CVE)
• Any WordPress site processing donation submissions through the vulnerable plugin

Discovery Timeline

• 2025-01-11 - CVE-2024-12877 published to NVD
• 2025-02-25 - Last updated in NVD database

Technical Details for CVE-2024-12877

Vulnerability Analysis

The vulnerability stems from unsafe use of PHP's unserialize() function on attacker-controlled donation form input. When a user submits a donation, fields such as firstName are passed through deserialization routines in the plugin's Utils.php helper. Attackers can supply a crafted serialized PHP object string in place of expected text input.

PHP Object Injection becomes exploitable when the application contains classes with magic methods such as __destruct, __wakeup, or __toString that perform sensitive operations. GiveWP ships with a usable POP chain that ends in arbitrary file deletion. Deleting key files such as wp-config.php forces WordPress into setup mode, allowing the attacker to reconfigure the database connection and ultimately execute PHP code on the host.

No authentication is required because donation forms are public by design. The attack requires only the ability to submit a donation request to a vulnerable site.

Root Cause

The root cause is direct deserialization of untrusted HTTP POST data without prior validation. The plugin treats donation form fields as trusted serialized payloads rather than literal strings. Vendor remediation in 3.19.3 was incomplete, and a fully sufficient fix was only released in 3.19.4. The recommended long-term mitigation is to migrate from PHP serialization to JSON encoding.

Attack Vector

An unauthenticated attacker submits an HTTP POST request to a GiveWP donation endpoint. The attacker replaces a normal field value, such as firstName, with a serialized PHP object payload. When the plugin processes the submission, unserialize() instantiates the attacker-controlled object graph and triggers the POP chain during execution or object destruction. The chain reaches a file deletion sink, removing files chosen by the attacker and enabling follow-on remote code execution.

No verified public exploit code is available at this time. The EPSS percentile indicates a meaningful likelihood of exploitation activity relative to other published CVEs.

Detection Methods for CVE-2024-12877

Indicators of Compromise

• POST requests to GiveWP donation endpoints containing serialized PHP markers such as O:, a:, or s: inside fields like firstName, lastName, or email.
• Unexpected deletion or truncation of wp-config.php, plugin files, or .htaccess on the WordPress host.
• New or modified PHP files in wp-content/uploads/ or the plugin directory following donation traffic.
• WordPress entering setup or installation mode without administrator action.

Detection Strategies

• Inspect web server access logs for donation POST requests containing serialized object signatures in form fields that should hold plain text.
• Monitor file integrity on WordPress core files, wp-config.php, and the give plugin directory for unauthorized deletions.
• Alert on PHP error log entries referencing unserialize(), class instantiation failures, or __destruct calls inside GiveWP helper files.
• Correlate donation form submissions with subsequent process spawns from the PHP-FPM or web server user.

Monitoring Recommendations

• Enable web application firewall rules that block serialized PHP payloads in donation parameters.
• Forward WordPress, PHP, and web server logs to a centralized analytics platform for query and correlation.
• Track outbound connections initiated by the web server process immediately after donation traffic.

How to Mitigate CVE-2024-12877

Immediate Actions Required

• Update GiveWP to version 3.19.4 or later on every WordPress instance running the plugin.
• Audit wp-config.php, plugin files, and uploads directories for unauthorized modifications or deletions.
• Rotate WordPress administrator credentials, database passwords, and any API keys stored in wp-config.php if compromise is suspected.
• Review donation transaction logs for anomalous submissions originating from a single IP or containing malformed input.

Patch Information

GiveWP released a partial fix in version 3.19.3 and a complete fix in version 3.19.4. The vendor changeset is available in the WordPress Plugin Repository changeset. Additional technical detail is provided in the Wordfence Vulnerability Report. The vendor has been advised to replace PHP serialization with JSON encoding to prevent recurrence.

Workarounds

• Disable the GiveWP plugin until version 3.19.4 or later can be deployed.
• Deploy WAF rules that reject donation form parameters containing serialized PHP patterns such as O:[0-9]+: or a:[0-9]+:{.
• Restrict access to donation endpoints by IP allow-list while remediation is pending.
• Apply filesystem permissions that prevent the web server user from deleting wp-config.php and other critical files.

# Example WAF rule pattern to block serialized PHP objects in GiveWP form fields
SecRule ARGS_NAMES "@rx ^(firstName|lastName|email|company)$" \
  "chain,deny,status:403,id:1009001,msg:'GiveWP PHP Object Injection attempt'"
  SecRule ARGS "@rx (^|;)(O|a|s):[0-9]+:" "t:none"