CVE-2024-12877: 
WordPress vulnerability analysis and mitigation

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress contains a PHP Object Injection vulnerability (CVE-2024-12877) affecting all versions up to and including 3.19.2. The vulnerability was discovered and reported by Wordfence, with initial disclosure on January 11, 2025 (NVD CVE).

The vulnerability stems from the improper handling of untrusted input from donation form fields like 'firstName', which allows for PHP Object Injection through deserialization of untrusted data. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The weakness is classified as CWE-502 (Deserialization of Untrusted Data) (NVD CVE).

The vulnerability allows unauthenticated attackers to inject PHP Objects, and when combined with an existing POP chain, enables attackers to delete arbitrary files on the server. This capability potentially leads to remote code execution, representing a critical security risk for affected WordPress installations (NVD CVE).

A partial patch was released in version 3.19.3, but a fully sufficient fix wasn't available until version 3.19.4. The vendor has been recommended to implement JSON encoding to prevent future deserialization vulnerabilities. Users are advised to update to the latest version immediately (NVD CVE).