CVE-2024-12877 is a critical vulnerability classified under CWE-502 (Deserialization of Untrusted Data) affecting the GiveWP – Donation Plugin and Fundraising Platform for WordPress. The flaw exists in all versions up to and including 3.19.2, where the plugin improperly deserializes user-supplied input from donation form fields such as 'firstName'. This unsafe deserialization allows unauthenticated attackers to perform PHP Object Injection, a technique where crafted serialized PHP objects are injected and executed. The presence of a Property Oriented Programming (POP) chain within the plugin's codebase enables attackers to leverage this injection to delete arbitrary files on the server filesystem. This file deletion capability can be chained to achieve remote code execution (RCE), granting full control over the affected server. Although version 3.19.3 attempted a partial fix, it was insufficient, and a fully effective patch was only released in version 3.19.4. The vulnerability has a CVSS v3.1 base score of 9.8, reflecting its critical severity with network attack vector, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. The recommended remediation includes upgrading to version 3.19.4 or later and adopting safer data handling practices such as JSON encoding to prevent unsafe deserialization. No known exploits are currently reported in the wild, but the severity and ease of exploitation make this a high-priority issue for organizations using the plugin.

The impact of CVE-2024-12877 is severe for organizations using the GiveWP plugin on WordPress sites, particularly those handling donations and fundraising activities. Successful exploitation allows unauthenticated attackers to execute arbitrary PHP code remotely, leading to full server compromise. This can result in data breaches, defacement, loss of donor trust, disruption of fundraising operations, and potential financial fraud. The ability to delete arbitrary files further exacerbates the risk by enabling attackers to remove critical files, disrupt services, or implant backdoors. Given the plugin's widespread use in non-profit and fundraising sectors, the threat extends to organizations globally, potentially affecting sensitive donor information and critical fundraising infrastructure. The lack of authentication and user interaction requirements increases the likelihood of exploitation, making it a significant threat to availability, integrity, and confidentiality of affected systems.

1. Immediate upgrade to GiveWP plugin version 3.19.4 or later, which contains the fully patched fix for this vulnerability. 2. If immediate upgrade is not feasible, implement web application firewall (WAF) rules to detect and block suspicious serialized PHP object payloads targeting the donation form inputs. 3. Disable or restrict PHP unserialize() usage in plugin code or server-wide if possible, or apply hardened deserialization libraries that enforce strict type whitelisting. 4. Employ input validation and sanitization on all user-supplied data, especially fields that are deserialized. 5. Monitor server logs for unusual file deletion activities or unexpected PHP object injection attempts. 6. Consider isolating the WordPress environment and limiting file system permissions to minimize damage from potential exploitation. 7. Encourage the vendor to adopt safer data encoding formats such as JSON to prevent future deserialization vulnerabilities. 8. Regularly audit and update all WordPress plugins and themes to reduce exposure to known vulnerabilities.