Skip to main content

Givewp CVE-2024-9130

HIGH
SQL Injection (CWE-89)
2024-09-27 security@wordfence.com
7.2
CVSS 3.1 · Vendor: wordfence
Share

Severity by source

Vendor (wordfence) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (wordfence) · only source for this CVE.

CVSS VectorVendor: wordfence

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Sep 27, 2024 - 06:15 cve.org
HIGH 7.2

DescriptionCVE.org

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter in all versions up to, and including, 3.16.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with GiveWP Manager-level access and above, to append additional SQL queries into already existing queries within the Legacy View mode, that can be used to extract sensitive information from the database.

AnalysisAI

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter in all versions up to, and including, 3.16.1 due to. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter in all versions up to, and including, 3.16.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with GiveWP Manager-level access and above, to append additional SQL queries into already existing queries within the Legacy View mode, that can be used to extract sensitive information from the database. Affected products include: Givewp.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

More in Givewp

View all
CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2024-5932 CRITICAL POC
9.8 Aug 20

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2025-0912 CRITICAL
9.8 Mar 04

The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.

CVE-2022-2260 MEDIUM POC
6.5 Aug 01

The GiveWP WordPress plugin before 2.21.3 does not have CSRF in place when exporting data, and does not validate the exp

CVE-2022-0252 MEDIUM POC
6.1 Feb 21

The GiveWP WordPress plugin before 2.17.3 does not escape the json parameter before outputting it back in an attribute i

CVE-2021-24213 MEDIUM POC
6.1 Apr 12

The GiveWP - Donation Plugin and Fundraising Platform WordPress plugin before 2.10.0 was affected by a reflected Cross-S

CVE-2019-9909 MEDIUM POC
6.1 Mar 22

The "Donation Plugin and Fundraising Platform" plugin before 2.3.1 for WordPress has wp-admin/edit.php csv XSS. Rated me

CVE-2024-9634 CRITICAL
9.8 Oct 16

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2024-37099 CRITICAL
9.8 Aug 19

Deserialization of Untrusted Data vulnerability in Liquid Web GiveWP allows Object Injection.14.1. Rated critical severi

CVE-2019-13578 CRITICAL
9.8 Aug 15

A SQL injection vulnerability exists in the Impress GiveWP Give plugin through 2.5.0 for WordPress. Rated critical sever

CVE-2019-15317 MEDIUM POC
5.4 Aug 22

The give plugin before 2.4.7 for WordPress has XSS via a donor name. Rated medium severity (CVSS 5.4), this vulnerabilit

CVE-2020-20627 MEDIUM POC
5.3 Aug 31

The includes/gateways/stripe/includes/admin/admin-actions.php in GiveWP plugin through 2.5.9 for WordPress allows unauth

Share

CVE-2024-9130 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy