The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.13.0 via the 'handleRequest' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with GiveWP Worker-level access and above, to delete and update arbitrary posts.
References
Configurations
History
21 Nov 2024, 09:48
Type | Values Removed | Values Added |
---|---|---|
References | () https://plugins.trac.wordpress.org/browser/give/trunk/src/DonationForms/V2/Endpoints/FormActions.php#L96 - Patch | |
References | () https://plugins.trac.wordpress.org/changeset/3120745/ - Patch | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/2dca6c29-9f05-4d82-90e3-834f1dd8005a?source=cve - Third Party Advisory | |
Summary |
|
19 Jul 2024, 18:27
Type | Values Removed | Values Added |
---|---|---|
References | () https://plugins.trac.wordpress.org/browser/give/trunk/src/DonationForms/V2/Endpoints/FormActions.php#L96 - Patch | |
References | () https://plugins.trac.wordpress.org/changeset/3120745/ - Patch | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/2dca6c29-9f05-4d82-90e3-834f1dd8005a?source=cve - Third Party Advisory | |
CPE | cpe:2.3:a:givewp:givewp:*:*:*:*:*:wordpress:*:* | |
First Time |
Givewp givewp
Givewp |
19 Jul 2024, 11:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-07-19 11:15
Updated : 2024-11-21 09:48
NVD link : CVE-2024-5977
Mitre link : CVE-2024-5977
CVE.ORG link : CVE-2024-5977
JSON object : View
Products Affected
givewp
- givewp
CWE
CWE-639
Authorization Bypass Through User-Controlled Key