CVE-2024-12877 PoC — GiveWP – Donation Plugin and Fundraising Platform <= 3.19.2 - Unauthenticated PHP Object Injection

Source

Associated Vulnerability

Readme

# GO-TO CVE – CVE-2024-12877-Exploit

**Week 66 | Author: Ali Soltani ([soltanali0]([url](https://x.com/soltanali0)))**

Welcome to **Week 66 of the GO-TO CVE series**, where we dissect vulnerabilities, analyze root causes, and demonstrate practical exploitation techniques in a safe, educational context.

---

## 🚨 Overview

**CVE-2024-12877** is a **PHP Object Injection** vulnerability in **GiveWP**, one of the most widely-used WordPress donation plugins. The unsafe use of `unserialize()` on user-controlled input allows attackers to trigger PHP magic methods (like `__wakeup()`), potentially leading to:

* Remote Code Execution (RCE) ⚡
* Sensitive data theft 🕵️‍♂️
* Privilege escalation 🔑
* Full server compromise ☠️

**CVSS:** 9.8 Critical | Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

---

## 🧩 About [GiveWP](https://givewp.com/)

<img width="775" height="200" alt="image" src="https://github.com/user-attachments/assets/04f89579-df3c-4b96-859e-8740d4aa862f" />


GiveWP powers thousands of charity websites, NGOs, and fundraising platforms. Because it handles sensitive financial and donor data, a vulnerability here is highly impactful. An attacker exploiting object injection can escalate from a single plugin to compromising the entire WordPress installation and the underlying server.

---

## ⚙️ Vulnerability Details

* **Root Cause:** `unserialize()` on untrusted input.

* **PHP Magic Methods:** PHP automatically invokes these during object lifecycle:

* The vulnerability stems from unsafe use of the PHP function unserialize() on user-controlled input. While unserialize() is designed to rebuild PHP data structures, it comes with a dangerous side effect: when objects are reconstructed, PHP automatically invokes magic methods.

## Magic Methods in PHP

 * `__wakeup()` – triggered when an object is unserialized
  * `__destruct()`, `__toString()`, `__get/__set()`, `__call/__callStatic()` – can be leveraged for malicious execution

* **Regex Validation:** GiveWP implemented regex checks to detect serialized input. While the new regex catches more data types, **regex cannot reliably prevent object injection**.

<img width="1737" height="859" alt="image" src="https://github.com/user-attachments/assets/fbad070d-c532-4c4f-bf46-fc16c01e3765" />

---

### Key insight:
With a crafted serialized object, the attacker sets object properties, and PHP itself executes the attacker’s logic by invoking the magic methods

### Regex Validation
GiveWP implemented regex-based validation to check if input was serialized.
Old Regex (incomplete)
 
•	Only recognized arrays and objects.

•	Other serialized types (string, int, bool, float, null) bypassed detection.

<img width="2144" height="450" alt="carbon" src="https://github.com/user-attachments/assets/ee78c9c4-0ed3-44a7-8180-1a583f2c7673" />

---

### New Regex (improved, but flawed)

•	Recognizes all PHP serialized types.

•	Blocks some trivial payloads.

•	But the core problem remains: if unserialize() is used on user input, regex can’t save you.

<img width="2144" height="786" alt="carbon (1)" src="https://github.com/user-attachments/assets/cd82ec02-9ed9-4bad-a722-ff7b49f27f74" />

This snippet was written to compare two different regex implementations:

•	is_serialized_old() → the old version, which only detects arrays and objects.

•	is_serialized_new() → the improved version, which recognizes all PHP serialized data types (arrays, objects, strings, integers, booleans, floats, and null).
We create a set of test values (array, object, string, integer, boolean, float, null), serialize them, and then check each one against both regex functions.
In simple terms:

<img width="975" height="780" alt="image" src="https://github.com/user-attachments/assets/917300e6-bfae-474e-af5d-bf5021cc6d63" />

And after running this code on your dokcer see on browser this resulte 

<img width="580" height="367" alt="image" src="https://github.com/user-attachments/assets/967696c4-0ffa-4c7f-89a0-749737686443" />


## 💥 Exploit Demo

Step 1

 <img width="1326" height="482" alt="carbon (2)" src="https://github.com/user-attachments/assets/7b0fcc96-d4cc-4434-9c8b-57953708ae91" />


Step 2: Create a vulnerable class

<img width="2054" height="674" alt="carbon (4)" src="https://github.com/user-attachments/assets/9ae5dd0d-fbe3-42bb-bbd9-a123ad686639" />

This class has a __wakeup() method that will execute automatically when unserialized.

Step 3: Craft payload

 <img width="975" height="267" alt="image" src="https://github.com/user-attachments/assets/fdc1dbaf-2a7a-447e-9fec-817531f2fc7d" />


Step 4: Output
After the saveing file at this file you can see this exlpit 

<img width="975" height="727" alt="image" src="https://github.com/user-attachments/assets/dc607bc2-7589-4214-bdd3-e0995b7622e5" />


Exploit : 

 <img width="783" height="406" alt="image" src="https://github.com/user-attachments/assets/0f4d0314-76a4-44c2-bd3e-9af003c0540d" />

•	Old Regex: FALSE → failed to detect the payload.

•	New Regex: TRUE → detected it as serialized input.

•	Executing: Hello RCE! → The payload was unserialized, and the magic method __wakeup() executed attacker-controlled code.

Prevention
•	Do not use unserialize() on untrusted input. Replace it with json_decode() or other safer alternatives.

•	Keep GiveWP and all WordPress plugins updated.

•	Deploy a Web Application Firewall (WAF) to block malicious serialized payloads.

•	Follow the Principle of Least Privilege: run PHP and database accounts with minimum required permissions.

**Results:**

* Old Regex: ❌ fails to detect payload
* New Regex: ✅ detects serialized input but cannot prevent RCE

> Key insight: **Never rely on regex to secure unserialize()**. The safest approach is to avoid unserializing untrusted input altogether.

---

## 🛡 Prevention

* Do **not** use `unserialize()` on untrusted input; prefer `json_decode()` or other safe alternatives.
* Keep GiveWP and all WordPress plugins updated.
* Deploy a Web Application Firewall (WAF) to block malicious payloads.
* Apply the Principle of Least Privilege for PHP and database accounts.

---

## 📱 Follow Our Weekly CVE Analysis

I run two Telegram channels dedicated to vulnerability research and exploitation:

1. **GO-TO CVE Weekly Episodes:**
   Every week, we dive deep into a new CVE and share detailed analysis, demos, and insights.
   🔗 [Join us here](https://t.me/GOTOCVE)

2. **CVEdb – Exploit Archive:**
   This channel archives **1-day exploits and custom PoCs** for CVEs. A great resource for researchers who want to see active exploitation techniques.
   🔗 [Join CVEdb](https://t.me/CVEdb)

> Follow the channels to stay up-to-date with the latest CVEs, exploitation techniques, and security research insights.

---

## 📚 References

* [NVD CVE-2024-12877](https://nvd.nist.gov/vuln/detail/CVE-2024-12877)
* [Wordfence Analysis](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/give/givewp-donation-plugin-and-fundraising-platform-3192-unauthenticated-php-object-injection)
* [GiveWP Source](https://plugins.trac.wordpress.org/changeset/3212723/give/tags/3.19.3/src/Helpers/Utils.php)

---

## ⚖️ Legal Disclaimer

This repository is strictly for **educational and research purposes**. Exploiting vulnerabilities without permission is **illegal and unethical**. The author is **not responsible for misuse**.

File Snapshot

 [4.0K]  /data/pocs/ca25e146062ce9ef4583e0b5d92e91fee11693d8
└── [7.3K]  README.md

0 directories, 1 file

Remarks