SecurityWeek reports that more than 100,000 WordPress websites could be hijacked in intrusions exploiting a maximum severity PHP object injection flaw in the widely used fundraising and donation plugin GiveWP.
Such a vulnerability, tracked as CVE-2024-5932, could be leveraged by threat actors to facilitate PHP object injection and subsequent Property Oriented Programming chain abuse involving the manipulation of deserialized objects for remote code execution and arbitrary file deletion, a report from Defiant revealed. Deleting certain files could allow site resets, which would prompt a connection to a remote attacker-controlled database and increase the odds of complete site takeovers, researchers added. Organizations have been urged to ensure that their implementations of GiveWP version 3.14.1 and prior are updated to version 3.14.2, which addresses the vulnerability, as the plugin was noted by WordPress.org to have gained more than 60,000 downloads during the last seven days.
