CVE-2024-12877: CWE-502 Deserialization of Untrusted Data in stellarwp GiveWP – Donation Plugin and Fundraising Platform
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.2 via deserialization of untrusted input from the donation form like 'firstName'. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files on the server that makes remote code execution possible. Please note this was only partially patched in 3.19.3, a fully sufficient patch was not released until 3.19.4. However, another CVE was assigned by another CNA for version 3.19.3 so we will leave this as affecting 3.19.2 and before. We have recommended the vendor use JSON encoding to prevent any further deserialization vulnerabilities from being present.
AI Analysis
Technical Summary
CVE-2024-12877 is a critical PHP Object Injection vulnerability in the GiveWP WordPress plugin versions up to 3.19.2. It arises from unsafe deserialization of untrusted input from donation form fields, enabling attackers to inject malicious PHP objects. The presence of a gadget chain (POP chain) allows attackers to delete arbitrary files on the server, which can lead to remote code execution. Although version 3.19.3 partially addressed the issue, a fully sufficient patch was only released in version 3.19.4. The vendor has been advised to adopt JSON encoding to prevent similar deserialization vulnerabilities in the future.
Potential Impact
Successful exploitation can result in complete compromise of the affected WordPress server, including arbitrary file deletion and remote code execution. The vulnerability requires no authentication and has a CVSS score of 9.8, indicating critical impact on confidentiality, integrity, and availability.
Mitigation Recommendations
A fully sufficient patch is available in GiveWP version 3.19.4. Users should upgrade to version 3.19.4 or later immediately to remediate this vulnerability. The partial fix in version 3.19.3 is insufficient. The vendor recommends using JSON encoding to prevent future deserialization issues.
CVE-2024-12877: CWE-502 Deserialization of Untrusted Data in stellarwp GiveWP – Donation Plugin and Fundraising Platform
Description
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.2 via deserialization of untrusted input from the donation form like 'firstName'. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files on the server that makes remote code execution possible. Please note this was only partially patched in 3.19.3, a fully sufficient patch was not released until 3.19.4. However, another CVE was assigned by another CNA for version 3.19.3 so we will leave this as affecting 3.19.2 and before. We have recommended the vendor use JSON encoding to prevent any further deserialization vulnerabilities from being present.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-12877 is a critical PHP Object Injection vulnerability in the GiveWP WordPress plugin versions up to 3.19.2. It arises from unsafe deserialization of untrusted input from donation form fields, enabling attackers to inject malicious PHP objects. The presence of a gadget chain (POP chain) allows attackers to delete arbitrary files on the server, which can lead to remote code execution. Although version 3.19.3 partially addressed the issue, a fully sufficient patch was only released in version 3.19.4. The vendor has been advised to adopt JSON encoding to prevent similar deserialization vulnerabilities in the future.
Potential Impact
Successful exploitation can result in complete compromise of the affected WordPress server, including arbitrary file deletion and remote code execution. The vulnerability requires no authentication and has a CVSS score of 9.8, indicating critical impact on confidentiality, integrity, and availability.
Mitigation Recommendations
A fully sufficient patch is available in GiveWP version 3.19.4. Users should upgrade to version 3.19.4 or later immediately to remediate this vulnerability. The partial fix in version 3.19.3 is insufficient. The vendor recommends using JSON encoding to prevent future deserialization issues.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-12-20T21:49:42.876Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e4bb7ef31ef0b59c70a
Added to database: 2/25/2026, 9:48:59 PM
Last enriched: 4/9/2026, 6:29:39 AM
Last updated: 4/12/2026, 3:55:42 PM
Views: 17
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.