An urgent security issue has affected the GiveWP WordPress plugin, impacting over 100,000 websites that use the WordPress platform. As reported by Wordfence, a critical code execution vulnerability has been identified in the GiveWP plugin, which is widely used for donation features and fundraising activities on WordPress sites. This vulnerability, present in versions before 3.14.2, allows unauthenticated hackers to execute malicious PHP commands, potentially leading to remote code execution and unauthorized file deletion.
The seriousness of this security flaw is highlighted by its assigned identifier CVE-2024-5932, with a maximum severity score of 10. This high score signifies the significant threat level posed by the vulnerability. Security researcher Villu Orav (villu164) brought attention to this issue through Wordfence’s bug bounty program, resulting in the patching of the vulnerability in version 3.14.2 by the GiveWP team. Additionally, the researcher received a $4,998 bounty from Wordfence for discovering this critical security issue.
Remarkably, this announcement follows closely on the heels of another security vulnerability in the InPost PL and InPost plugins for WooCommerce WordPress, as reported by Wordfence. Assigned the identifier CVE-2024-6500 with a CVSS score of 10, this vulnerability could allow an unauthenticated attacker to access and delete sensitive files, including the wp-config.php file.
