CVE-2024-9634: GiveWP WordPress Plugin RCE Vulnerability

CVE-2024-9634 Overview

CVE-2024-9634 is a PHP Object Injection vulnerability in the GiveWP – Donation Plugin and Fundraising Platform for WordPress. The flaw affects all versions up to and including 3.16.3. The vulnerable code deserializes untrusted input from the give_company_name parameter during donation processing. Unauthenticated attackers can inject arbitrary PHP objects into the application. A Property-Oriented Programming (POP) chain present in the plugin elevates the injection to remote code execution. The vulnerability is tracked under [CWE-502: Deserialization of Untrusted Data].

Critical Impact

Unauthenticated remote attackers can execute arbitrary code on any WordPress site running a vulnerable GiveWP installation, leading to full site compromise.

Affected Products

• GiveWP – Donation Plugin and Fundraising Platform for WordPress (all versions ≤ 3.16.3)
• WordPress sites with GiveWP installed and donation forms exposed
• Hosting environments serving the vulnerable plugin code path in includes/process-donation.php

Discovery Timeline

• 2024-10-16 - CVE-2024-9634 published to the National Vulnerability Database
• 2024-10-16 - GiveWP version 3.16.4 released with the fix in includes/process-donation.php
• 2025-02-27 - Last updated in NVD database

Technical Details for CVE-2024-9634

Vulnerability Analysis

The GiveWP plugin processes donation submissions through its donation handler. During this process, the give_company_name POST parameter is passed into PHP's unserialize() function without validation. PHP's unserialize() reconstructs objects from serialized strings and invokes magic methods such as __wakeup(), __destruct(), and __toString() on those objects. When an application deserializes attacker-controlled data, any class loaded into the runtime becomes a potential gadget.

GiveWP and its dependencies expose classes that form a usable POP chain. An attacker crafts a serialized payload referencing these classes so that during deserialization, the chained magic methods reach a sink capable of file writes, SQL execution, or command execution. The result is remote code execution under the privileges of the PHP-FPM or web server process.

Root Cause

The root cause is the use of unserialize() on untrusted input received from an unauthenticated HTTP request. The donation flow trusts client-supplied billing fields and reconstructs PHP objects from them. The pre-patch source in DonationRepository.php and related processing logic reflects this unsafe deserialization pattern.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker sends a crafted HTTP POST request to the donation form endpoint with a malicious serialized payload in the give_company_name field. The plugin deserializes the value server-side, triggering the gadget chain and arbitrary code execution. The Wordfence advisory documents the exploitation path.

No public proof-of-concept code is referenced in the enriched data, so this section describes the mechanism in prose. The exploitation primitive is a standard PHP serialized object string (for example, an O: prefixed payload) supplied where the plugin expects a plain text company name.

Detection Methods for CVE-2024-9634

Indicators of Compromise

• POST requests to donation endpoints containing serialized PHP markers such as O:, a:, or s: in the give_company_name parameter
• Unexpected PHP files written to wp-content/uploads/ or plugin directories following donation submissions
• New or modified WordPress administrator accounts with no corresponding audit log entry
• Outbound network connections from the web server process to attacker-controlled hosts shortly after donation form traffic

Detection Strategies

• Inspect web server access logs for POST requests to GiveWP form handlers containing URL-encoded serialized payloads in give_company_name
• Deploy a Web Application Firewall (WAF) rule that blocks request bodies matching PHP serialization patterns in donation fields
• Run file integrity monitoring on the WordPress installation to flag unauthorized PHP file creation or modification
• Correlate donation submissions with subsequent process creation events on the underlying host

Monitoring Recommendations

• Forward WordPress, PHP-FPM, and web server logs to a centralized analytics platform for retention and correlation
• Alert on PHP serialized object signatures appearing in user-supplied parameters
• Monitor outbound traffic from web hosts for anomalous destinations or beaconing patterns

How to Mitigate CVE-2024-9634

Immediate Actions Required

• Update GiveWP to version 3.16.4 or later on every WordPress site in the environment
• Audit donation forms and recent submissions for evidence of exploitation against give_company_name
• Rotate WordPress administrator credentials, API keys, and database passwords if compromise is suspected
• Review installed plugins and themes for unexpected files added since the plugin was first exposed

Patch Information

GiveWP addressed the vulnerability in version 3.16.4. The fix is published in the WordPress plugin repository changeset for process-donation.php. The patch removes the unsafe deserialization of the give_company_name parameter during donation processing.

Workarounds

• If immediate patching is not possible, disable the GiveWP plugin until the upgrade can be completed
• Apply WAF rules that reject any request containing PHP serialization tokens in donation form parameters
• Restrict access to donation endpoints by IP allowlist where the donation flow is non-public

# Update GiveWP via WP-CLI to the patched release
wp plugin update give --version=3.16.4
wp plugin list --name=give --fields=name,status,version