Share
## https://sploitus.com/exploit?id=4BB18EE2-E5E8-5112-82ED-1FD80FFED294
# GO-TO CVE – CVE-2024-12877-Exploit

**Week 66 | Author: Ali Soltani ([soltanali0]([url](https://x.com/soltanali0)))**

Welcome to **Week 66 of the GO-TO CVE series**, where we dissect vulnerabilities, analyze root causes, and demonstrate practical exploitation techniques in a safe, educational context.

---

## 🚨 Overview

**CVE-2024-12877** is a **PHP Object Injection** vulnerability in **GiveWP**, one of the most widely-used WordPress donation plugins. The unsafe use of `unserialize()` on user-controlled input allows attackers to trigger PHP magic methods (like `__wakeup()`), potentially leading to:

* Remote Code Execution (RCE) ⚑
* Sensitive data theft πŸ•΅οΈβ€β™‚οΈ
* Privilege escalation πŸ”‘
* Full server compromise ☠️

**CVSS:** 9.8 Critical | Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

---

## 🧩 About [GiveWP](https://givewp.com/)




GiveWP powers thousands of charity websites, NGOs, and fundraising platforms. Because it handles sensitive financial and donor data, a vulnerability here is highly impactful. An attacker exploiting object injection can escalate from a single plugin to compromising the entire WordPress installation and the underlying server.

---

## βš™οΈ Vulnerability Details

* **Root Cause:** `unserialize()` on untrusted input.

* **PHP Magic Methods:** PHP automatically invokes these during object lifecycle:

* The vulnerability stems from unsafe use of the PHP function unserialize() on user-controlled input. While unserialize() is designed to rebuild PHP data structures, it comes with a dangerous side effect: when objects are reconstructed, PHP automatically invokes magic methods.

## Magic Methods in PHP

 * `__wakeup()` – triggered when an object is unserialized
  * `__destruct()`, `__toString()`, `__get/__set()`, `__call/__callStatic()` – can be leveraged for malicious execution

* **Regex Validation:** GiveWP implemented regex checks to detect serialized input. While the new regex catches more data types, **regex cannot reliably prevent object injection**.



---

### Key insight:
With a crafted serialized object, the attacker sets object properties, and PHP itself executes the attacker’s logic by invoking the magic methods

### Regex Validation
GiveWP implemented regex-based validation to check if input was serialized.
Old Regex (incomplete)
 
β€’	Only recognized arrays and objects.

β€’	Other serialized types (string, int, bool, float, null) bypassed detection.



---

### New Regex (improved, but flawed)

β€’	Recognizes all PHP serialized types.

β€’	Blocks some trivial payloads.

β€’	But the core problem remains: if unserialize() is used on user input, regex can’t save you.



This snippet was written to compare two different regex implementations:

β€’	is_serialized_old() β†’ the old version, which only detects arrays and objects.

β€’	is_serialized_new() β†’ the improved version, which recognizes all PHP serialized data types (arrays, objects, strings, integers, booleans, floats, and null).
We create a set of test values (array, object, string, integer, boolean, float, null), serialize them, and then check each one against both regex functions.
In simple terms:



And after running this code on your dokcer see on browser this resulte 




## πŸ’₯ Exploit Demo

Step 1

 


Step 2: Create a vulnerable class



This class has a __wakeup() method that will execute automatically when unserialized.

Step 3: Craft payload

 


Step 4: Output
After the saveing file at this file you can see this exlpit 




Exploit : 

 

β€’	Old Regex: FALSE β†’ failed to detect the payload.

β€’	New Regex: TRUE β†’ detected it as serialized input.

β€’	Executing: Hello RCE! β†’ The payload was unserialized, and the magic method __wakeup() executed attacker-controlled code.

Prevention
β€’	Do not use unserialize() on untrusted input. Replace it with json_decode() or other safer alternatives.

β€’	Keep GiveWP and all WordPress plugins updated.

β€’	Deploy a Web Application Firewall (WAF) to block malicious serialized payloads.

β€’	Follow the Principle of Least Privilege: run PHP and database accounts with minimum required permissions.

**Results:**

* Old Regex: ❌ fails to detect payload
* New Regex: βœ… detects serialized input but cannot prevent RCE

> Key insight: **Never rely on regex to secure unserialize()**. The safest approach is to avoid unserializing untrusted input altogether.

---

## πŸ›‘ Prevention

* Do **not** use `unserialize()` on untrusted input; prefer `json_decode()` or other safe alternatives.
* Keep GiveWP and all WordPress plugins updated.
* Deploy a Web Application Firewall (WAF) to block malicious payloads.
* Apply the Principle of Least Privilege for PHP and database accounts.

---

## πŸ“± Follow Our Weekly CVE Analysis

I run two Telegram channels dedicated to vulnerability research and exploitation:

1. **GO-TO CVE Weekly Episodes:**
   Every week, we dive deep into a new CVE and share detailed analysis, demos, and insights.
   πŸ”— [Join us here](https://t.me/GOTOCVE)

2. **CVEdb – Exploit Archive:**
   This channel archives **1-day exploits and custom PoCs** for CVEs. A great resource for researchers who want to see active exploitation techniques.
   πŸ”— [Join CVEdb](https://t.me/CVEdb)

> Follow the channels to stay up-to-date with the latest CVEs, exploitation techniques, and security research insights.

---

## πŸ“š References

* [NVD CVE-2024-12877](https://nvd.nist.gov/vuln/detail/CVE-2024-12877)
* [Wordfence Analysis](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/give/givewp-donation-plugin-and-fundraising-platform-3192-unauthenticated-php-object-injection)
* [GiveWP Source](https://plugins.trac.wordpress.org/changeset/3212723/give/tags/3.19.3/src/Helpers/Utils.php)

---

## βš–οΈ Legal Disclaimer

This repository is strictly for **educational and research purposes**. Exploiting vulnerabilities without permission is **illegal and unethical**. The author is **not responsible for misuse**.