What is CVE-2024-5932?

An unauthenticated PHP object-injection in the GiveWP donation plugin. The donation form accepted a give_title parameter that flowed into an unserialize() call. Combined with available POP gadgets in the plugin codebase, this gave attackers code execution. Disclosed August 7, 2024. Patched in 3.14.2.

Was it actually exploited?

Yes. Public proof-of-concept code appeared within days. Mass scanning followed. Sites that did not patch promptly were compromised at scale; GiveWP has well over 100,000 active installs.

I don't run a donation form. Was I exposed?

The vulnerable endpoint was reachable as long as GiveWP was active, regardless of whether you had a public donation form visible. Inactive (deactivated) GiveWP installs were not exploitable.

What did the attackers usually do after RCE?

Drop a PHP web shell, create an administrator account, install a malicious plugin, or modify a core/theme file for persistence. The same playbook as most unauthenticated WordPress RCEs.

CVE-2024-5932 · Unauth RCE · deserialization

GiveWP compromise cleanup.

An unauthenticated PHP object-injection in GiveWP let attackers run code on the server. Public PoC, mass scanning, exploited at scale starting August 2024. If your site ran an affected version, get a forensic look. Flat $279.

Start a cleanup About the bug

What the bug was

User input → unserialize() → RCE via POP gadget.

GiveWP's donation form accepted a give_title parameter that ended up in PHP's unserialize() function. The plugin's codebase contained a chain of classes (a 'POP gadget chain') that, when triggered through that unserialize call, produced arbitrary code execution. No authentication required.

Affected: versions prior to 3.14.2. Disclosed August 7, 2024 with a working PoC. Patch was straightforward but install rollout was uneven — many sites stayed exposed for days.

Indicators

What I look at.

ACCESS LOG
POSTs to /?give_action=donation or admin-ajax.php with give_title containing serialized PHP (starts with O:, a:, s:). Surprisingly clear in logs.
FILES
Fresh PHP in wp-content/uploads/ or anywhere outside the GiveWP plugin folder after August 2024.
USERS
Admin accounts created since the disclosure. Often the immediate payload of the RCE.
ACTIVE_PLUGINS
wp_options active_plugins row containing plugins you didn't install. Frequently file-manager-style plugins used as a second-stage web shell.

Pricing

Cleanup

$279

flat, one-time, per site

Manual cleanup, entry-vector identification, written forensic report.

Start a cleanup

Monitoring

$29 / mo

per site, cancel any time

Continuous monitoring, hardening, one cleanup per year included.

Get protected

Part of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.

See all services →

Email [email protected] or use the contact form.