CVE-2024-12877 — AI Deep Analysis Summary

🚨 **Essence**: Unauthenticated PHP Object Injection in GiveWP. <br>💥 **Consequences**: Attackers can inject malicious PHP objects via untrusted input (e.g., donation forms).…

🛡️ **Root Cause**: Unsafe use of `unserialize()` on user-controlled input. <br>🔍 **CWE**: CWE-502 (Deserialization of Untrusted Data).…

📦 **Vendor**: Stellarwp. <br>📱 **Product**: GiveWP – Donation Plugin and Fundraising Platform. <br>📉 **Affected Versions**: Version **3.19.2 and earlier**.…

🕵️ **Privileges**: **Unauthenticated** access required. No login needed. <br>💾 **Data/Actions**: <br>- **RCE**: Execute arbitrary code on the server. <br>- **File Manipulation**: Delete arbitrary files via POP chain.…

📉 **Threshold**: **LOW**. <br>🔓 **Auth**: None required (Unauthenticated). <br>🎯 **Vector**: Network (AV:N), Low Complexity (AC:L). <br>👥 **UI**: No user interaction needed (UI:N).…

🔥 **Public Exploit**: **YES**. <br>📂 **PoC Available**: Multiple GitHub repositories exist (e.g., `soltanali0/CVE-2024-12877-Exploit`, `RandomRobbieBF/CVE-2024-12877`).…

🔍 **Self-Check**: <br>1. Scan for **GiveWP** plugin version ≤ 3.19.2. <br>2. Look for donation forms sending serialized data. <br>3.…

✅ **Official Fix**: **YES**. <br>📦 **Patch**: Version **3.19.3** fixes the issue. <br>🔗 **Reference**: Changeset 3212723 in `src/Helpers/Utils.php` addresses the unsafe deserialization.…

🚧 **Workaround (No Patch)**: <br>1. **Disable** the GiveWP plugin if not in use. <br>2. **Restrict Access**: Block access to donation endpoints via firewall/WAF. <br>3.…

🚨 **Urgency**: **CRITICAL / IMMEDIATE**. <br>🔴 **Priority**: P1. <br>⏳ **Reason**: Unauthenticated RCE with public exploits. <br>📢 **Action**: Patch immediately. Delay risks full server compromise and data loss.