What is CVE-2024-5932?

An unauthenticated PHP object-injection in the GiveWP donation plugin. The donation form accepted a give_title parameter that flowed into an unserialize() call. Combined with available POP gadgets in the plugin codebase, this gave attackers code execution. Disclosed August 7, 2024. Patched in 3.14.2.

Was it actually exploited?

Yes. Public proof-of-concept code appeared within days. Mass scanning followed. Sites that did not patch promptly were compromised at scale; GiveWP has well over 100,000 active installs.

I don't run a donation form. Was I exposed?

The vulnerable endpoint was reachable as long as GiveWP was active, regardless of whether you had a public donation form visible. Inactive (deactivated) GiveWP installs were not exploitable.

What did the attackers usually do after RCE?

Drop a PHP web shell, create an administrator account, install a malicious plugin, or modify a core/theme file for persistence. The same playbook as most unauthenticated WordPress RCEs.

// CVE-2024-5932 · UNAUTH RCE · DESERIALIZATION

GiveWP got hit?
We clean up.

An unauthenticated PHP object-injection in GiveWP let attackers run code on the server. Public PoC, mass scanning, exploited at scale starting August 2024. If your site ran an affected version, get a forensic look. Flat $279.

Bereinigung starten → About the bug

§ 01 — WHAT THE BUG WAS

User input → unserialize() → RCE via POP gadget.

GiveWP's donation form accepted a give_title parameter that ended up in PHP's unserialize() function. The plugin's codebase contained a chain of classes (a 'POP gadget chain') that, when triggered through that unserialize call, produced arbitrary code execution. No authentication required.

Affected: versions prior to 3.14.2. Disclosed August 7, 2024 with a working PoC. Patch was straightforward but install rollout was uneven — many sites stayed exposed for days.

§ 02 — INDICATORS

What we look at.

[ ACCESS LOG ]
POSTs to /?give_action=donation or admin-ajax.php with give_title containing serialized PHP (starts with O:, a:, s:). Surprisingly clear in logs.
[ FILES ]
Fresh PHP in wp-content/uploads/ or anywhere outside the GiveWP plugin folder after August 2024.
[ USERS ]
Admin accounts created since the disclosure. Often the immediate payload of the RCE.
[ ACTIVE_PLUGINS ]
wp_options active_plugins row containing plugins you didn't install. Frequently file-manager-style plugins used as a second-stage web shell.

§ PRICE

Flat $279. One-time. Per site.

[ RESCUE ]

$279

PAUSCHAL · EINMALIG · PRO SEITE

Manuelle Bereinigung, Eintrittsvektor identifiziert, schriftlicher forensischer Bericht. 30-Tage-Reinfektions-Garantie.

Bereinigung starten →

[ SHIELD ]

$29 / mo

PRO SEITE · JEDERZEIT KÜNDBAR

Laufendes Monitoring, Absicherung, eine Bereinigung pro Jahr inklusive.

Schützen lassen →

Seite kompromittiert? Auftrag starten.

Send us what you know. You get a triage and a fixed quote in return — no obligation.

Aufnahme-Formular öffnen →

GiveWP got hit?We clean up.

User input → unserialize() → RCE via POP gadget.

What we look at.

Flat $279. One-time. Per site.

Seite kompromittiert? Auftrag starten.

GiveWP got hit?
We clean up.