cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-12877,https://securityvulnerability.io/vulnerability/CVE-2024-12877,PHP Object Injection Vulnerability in GiveWP Donation Plugin for WordPress,"The GiveWP Donation Plugin for WordPress is susceptible to PHP Object Injection due to improper handling of untrusted input from the donation form, such as the 'firstName' field. This vulnerability affects all versions up to and including 3.19.2 and allows unauthenticated attackers to inject malicious PHP objects. The presence of a Property-Oriented Programming (POP) chain could enable these attackers to execute remote code and potentially delete arbitrary files on the server. While version 3.19.3 attempted a patch, it was not fully effective, and a comprehensive solution was only provided in version 3.19.4. It is strongly recommended that the vendor implement JSON encoding to mitigate the risk of deserialization vulnerabilities in the future.",Wordpress,GiveWP – Donation Plugin And Fundraising Platform,9.8,CRITICAL,0.0007099999929778278,false,,false,false,false,false,false,false,2025-01-11T07:21:53.510Z,0
CVE-2024-9634,https://securityvulnerability.io/vulnerability/CVE-2024-9634,Untrusted Input Vulnerability in GiveWP Donation Plugin Allows PHP Object Injection and Remote Code Execution,"The GiveWP Donation Plugin for WordPress is impacted by a significant security issue involving PHP Object Injection. This vulnerability arises from the deserialization of untrusted input, specifically through the give_company_name parameter. Attackers exploiting this vulnerability can inject a PHP Object into the application, with the potential for a crafted payload to execute remote code. This poses a severe threat to the integrity and confidentiality of the affected WordPress installations. Users are advised to review their plugin versions and apply necessary updates to mitigate this risk.",Wordpress,GiveWP – Donation Plugin And Fundraising Platform,9.8,CRITICAL,0.0006300000241026282,false,,false,false,false,,false,false,2024-10-16T02:05:09.208Z,0
CVE-2024-9130,https://securityvulnerability.io/vulnerability/CVE-2024-9130,SQL Injection Vulnerability in GiveWP's Donation Plugin,"The GiveWP Donation Plugin for WordPress is exposed to a time-based SQL Injection vulnerability via the 'order' parameter in all versions up to and including 3.16.1. This vulnerability arises from insufficient data escaping and lack of proper preparation in existing SQL queries, enabling authenticated users with Manager-level access and above to inject additional malicious SQL commands. These actions can result in unauthorized access to sensitive information stored in the database, particularly in Legacy View mode, potentially jeopardizing user data and the integrity of the application.",Wordpress,GiveWP – Donation Plugin And Fundraising Platform,7.2,HIGH,0.0008099999977275729,false,,false,false,false,,false,false,2024-09-27T05:31:02.642Z,0
CVE-2024-6551,https://securityvulnerability.io/vulnerability/CVE-2024-6551,Unauthenticated Attackers Can Retrieve Full Path of Web Application: GiveWP Plugin Vulnerable to Full Path Disclosure,"The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.15.1. This is due to the plugin utilizing Symfony and leaving display_errors on within test files. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.",Wordpress,GiveWP – Donation Plugin And Fundraising Platform,5.3,MEDIUM,0.0004600000102072954,false,,false,false,false,,false,false,2024-08-29T10:59:40.547Z,0
CVE-2024-5940,https://securityvulnerability.io/vulnerability/CVE-2024-5940,Unauthorized Data Modification Vulnerability in GiveWP Donation Plugin,"The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_request' function in all versions up to, and including, 3.13.0. This makes it possible for unauthenticated attackers to edit event ticket settings if the Events beta feature is enabled.",Wordpress,GiveWP – Donation Plugin And Fundraising Platform,5.3,MEDIUM,0.0005200000014156103,false,,false,false,false,,false,false,2024-08-20T02:03:19.791Z,0
CVE-2024-5939,https://securityvulnerability.io/vulnerability/CVE-2024-5939,Unauthorized Access to Setup Wizard Administrative Pages,"The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'setup_wizard' function in all versions up to, and including, 3.13.0. This makes it possible for unauthenticated attackers to read the setup wizard administrative pages.",Wordpress,GiveWP – Donation Plugin And Fundraising Platform,5.3,MEDIUM,0.0005200000014156103,false,,false,false,false,,false,false,2024-08-20T02:03:17.549Z,0
CVE-2024-5932,https://securityvulnerability.io/vulnerability/CVE-2024-5932,Unauthenticated PHP Object Injection Vulnerability in GiveWP Donation Plugin,"The GiveWP Donation Plugin for WordPress is susceptible to a PHP Object Injection due to improper handling of the 'give_title' parameter. This vulnerability allows unauthenticated attackers to exploit deserialization of untrusted input, potentially leading to the injection of malicious PHP objects. With the existence of a PHP Object Pollution (POP) chain, attackers can execute arbitrary code remotely and manipulate the file system, including the deletion of files. Websites utilizing this plugin prior to version 3.14.2 are at risk and must be updated immediately to safeguard against such threats.",Wordpress,GiveWP – Donation Plugin And Fundraising Platform,9.8,CRITICAL,0.056370001286268234,false,,true,false,true,true,true,false,2024-08-20T02:03:16.108Z,6027
CVE-2024-5941,https://securityvulnerability.io/vulnerability/CVE-2024-5941,Unauthorized Access to Attachment Paths and Files,"The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access and deletion of data due to a missing capability check on the 'handle_request' function in all versions up to, and including, 3.14.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read attachment paths and delete attachment files.",Wordpress,GiveWP – Donation Plugin And Fundraising Platform,5.4,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-08-20T02:03:14.586Z,0
CVE-2024-5977,https://securityvulnerability.io/vulnerability/CVE-2024-5977,Arbitrary Post Deletion and Updation Vulnerability in GiveWP Plugin,"The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.13.0 via the 'handleRequest' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with GiveWP Worker-level access and above, to delete and update arbitrary posts.",Wordpress,GiveWP – Donation Plugin And Fundraising Platform,5.4,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-07-19T11:01:41.290Z,0
CVE-2024-3714,https://securityvulnerability.io/vulnerability/CVE-2024-3714,Stored Cross-Site Scripting Vulnerability in GiveWP Donation Plugin,"The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'give_form' shortcode when used with a legacy form in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,GiveWP – Donation Plugin And Fundraising Platform,6.4,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,2024-05-18T04:30:52.568Z,0
CVE-2024-1957,https://securityvulnerability.io/vulnerability/CVE-2024-1957,Stored Cross-Site Scripting Vulnerability in GiveWP Donation Plugin,"The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'give_form' shortcode in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,GiveWP – Donation Plugin And Fundraising Platform,6.4,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,2024-04-13T01:57:48.081Z,0
CVE-2024-1424,https://securityvulnerability.io/vulnerability/CVE-2024-1424,Arbitrary Script Injection Vulnerability in GiveWP Donation Plugin,"The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,GiveWP – Donation Plugin And Fundraising Platform,6.4,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,2024-04-09T18:59:19.094Z,0
CVE-2023-4247,https://securityvulnerability.io/vulnerability/CVE-2023-4247,Cross-Site Request Forgery Vulnerability in GiveWP Plugin for WordPress,"The GiveWP plugin for WordPress has a Cross-Site Request Forgery vulnerability due to inadequate nonce validation in the give_sendwp_disconnect function. This flaw allows unauthenticated attackers to disable the SendWP plugin by tricking site administrators into executing unauthorized actions, such as clicking on a malicious link. Users should be cautious and ensure their plugins are updated to protect against potential exploitation.",Wordpress,GiveWP – Donation Plugin and Fundraising Platform,5.4,MEDIUM,0.0007699999841861427,false,,false,false,false,,false,false,2024-01-11T08:33:05.017Z,0
CVE-2023-4246,https://securityvulnerability.io/vulnerability/CVE-2023-4246,Cross-Site Request Forgery Vulnerability in GiveWP Plugin for WordPress,"The GiveWP plugin for WordPress is prone to a Cross-Site Request Forgery vulnerability due to inadequate nonce validation within the give_sendwp_remote_install_handler function. This security flaw can be exploited by unauthenticated attackers who trick site administrators into executing malicious requests, potentially leading to unauthorized installation and activation of the SendWP plugin. Administrators should ensure their sites are updated to prevent exploitation of this vulnerability.",Wordpress,GiveWP – Donation Plugin and Fundraising Platform,4.3,MEDIUM,0.0006500000017695129,false,,false,false,false,,false,false,2024-01-11T08:33:03.312Z,0
CVE-2023-4248,https://securityvulnerability.io/vulnerability/CVE-2023-4248,Cross-Site Request Forgery Vulnerability in GiveWP Plugin for WordPress,"The GiveWP plugin for WordPress is susceptible to Cross-Site Request Forgery due to inadequate nonce validation in the give_stripe_disconnect_connect_stripe_account function. This flaw allows unauthorized attackers to modify the plugin’s Stripe integration settings. By tricking a site administrator into clicking a malicious link, an attacker can send forged requests that disable essential payment functionalities.",Wordpress,GiveWP – Donation Plugin and Fundraising Platform,4.3,MEDIUM,0.0006500000017695129,false,,false,false,false,,false,false,2024-01-11T08:32:30.451Z,0
CVE-2022-2260,https://securityvulnerability.io/vulnerability/CVE-2022-2260,GiveWP < 2.21.3 - DoS via CSRF,"The GiveWP WordPress plugin before 2.21.3 does not have CSRF in place when exporting data, and does not validate the exporting parameters such as dates, which could allow attackers to make a logged in admin DoS the web server via a CSRF attack as the plugin will try to retrieve data from the database many times which leads to overwhelm the target's CPU.",Wordpress,GiveWP – Donation Plugin And Fundraising Platform,6.5,MEDIUM,0.0008399999933317304,false,,false,false,false,,false,false,2022-08-01T12:50:58.000Z,0
CVE-2022-2215,https://securityvulnerability.io/vulnerability/CVE-2022-2215,GiveWP < 2.21.3 - Admin+ Stored Cross-Site Scripting,"The GiveWP WordPress plugin before 2.21.3 does not properly sanitise and escape the currency settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)",Wordpress,GiveWP – Donation Plugin And Fundraising Platform,4.8,MEDIUM,0.000539999979082495,false,,false,false,false,,false,false,2022-08-01T12:50:18.000Z,0
CVE-2022-2117,https://securityvulnerability.io/vulnerability/CVE-2022-2117,GiveWP – Donation Plugin and Fundraising Platform <= 2.20.2 - Sensitive Information Disclosure,"The GiveWP plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions up to, and including, 2.20.2 via the /donor-wall REST-API endpoint which provides unauthenticated users with donor information even when the donor wall is not enabled. This functionality has been completely removed in version 2.20.2.",Wordpress,GiveWP – Donation Plugin And Fundraising Platform,5.3,MEDIUM,0.0009800000116229057,false,,false,false,false,,false,false,2022-07-18T16:16:48.000Z,0
CVE-2022-0252,https://securityvulnerability.io/vulnerability/CVE-2022-0252,Give < 2.17.3 - Reflected Cross-Site Scripting via Import Tool,"The GiveWP WordPress plugin before 2.17.3 does not escape the json parameter before outputting it back in an attribute in the Import admin dashboard, leading to a Reflected Cross-Site Scripting",Wordpress,GiveWP – Donation Plugin And Fundraising Platform,6.1,MEDIUM,0.0006900000153109431,false,,false,false,false,,false,false,2022-02-21T10:46:09.000Z,0
CVE-2021-25100,https://securityvulnerability.io/vulnerability/CVE-2021-25100,Give < 2.17.3 - Reflected Cross-Site Scripting via Donation Forms Dashboard,"The GiveWP WordPress plugin before 2.17.3 does not escape the s parameter before outputting it back in an attribute in the Donation Forms dashboard, leading to a Reflected Cross-Site Scripting",Wordpress,GiveWP – Donation Plugin And Fundraising Platform,6.1,MEDIUM,0.0006900000153109431,false,,false,false,false,,false,false,2022-02-21T10:45:54.000Z,0
CVE-2021-25099,https://securityvulnerability.io/vulnerability/CVE-2021-25099,Give < 2.17.3 - Unauthenticated Reflected Cross-Site Scripting,"The GiveWP WordPress plugin before 2.17.3 does not sanitise and escape the form_id parameter before outputting it back in the response of an unauthenticated request via the give_checkout_login AJAX action, leading to a Reflected Cross-Site Scripting",Wordpress,GiveWP – Donation Plugin And Fundraising Platform,6.1,MEDIUM,0.0010000000474974513,false,,false,false,false,,false,false,2022-02-21T10:45:53.000Z,0
CVE-2021-24524,https://securityvulnerability.io/vulnerability/CVE-2021-24524,GiveWP < 2.12.0 - Authenticated Stored XSS,"The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.12.0 did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Scripting payloads in them.",Wordpress,GiveWP – Donation Plugin And Fundraising Platform,4.8,MEDIUM,0.000539999979082495,false,,false,false,false,,false,false,2021-08-23T11:09:59.000Z,0
CVE-2021-24315,https://securityvulnerability.io/vulnerability/CVE-2021-24315,Give WP < 2.10.4 - Authenticated Stored Cross-Site Scripting (XSS),"The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.10.4 did not sanitise or escape the Background Image field of its Stripe Checkout Setting and Logo field in its Email settings, leading to authenticated (admin+) Stored XSS issues.",Wordpress,GiveWP – Donation Plugin And Fundraising Platform,4.8,MEDIUM,0.000590000010561198,false,,false,false,false,,false,false,2021-05-17T16:48:53.000Z,0
CVE-2021-24213,https://securityvulnerability.io/vulnerability/CVE-2021-24213,GiveWP < 2.10.0 - Reflected Cross Site Scripting (XSS),"The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.10.0 was affected by a reflected Cross-Site Scripting vulnerability inside of the administration panel, via the 's' GET parameter on the Donors page.",Wordpress,GiveWP – Donation Plugin And Fundraising Platform,6.1,MEDIUM,0.0014900000533089042,false,,false,false,false,,false,false,2021-04-12T14:00:09.000Z,0