Share
## https://sploitus.com/exploit?id=4BB18EE2-E5E8-5112-82ED-1FD80FFED294
# GO-TO CVE β CVE-2024-12877-Exploit
**Week 66 | Author: Ali Soltani ([soltanali0]([url](https://x.com/soltanali0)))**
Welcome to **Week 66 of the GO-TO CVE series**, where we dissect vulnerabilities, analyze root causes, and demonstrate practical exploitation techniques in a safe, educational context.
---
## π¨ Overview
**CVE-2024-12877** is a **PHP Object Injection** vulnerability in **GiveWP**, one of the most widely-used WordPress donation plugins. The unsafe use of `unserialize()` on user-controlled input allows attackers to trigger PHP magic methods (like `__wakeup()`), potentially leading to:
* Remote Code Execution (RCE) β‘
* Sensitive data theft π΅οΈββοΈ
* Privilege escalation π
* Full server compromise β οΈ
**CVSS:** 9.8 Critical | Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
---
## π§© About [GiveWP](https://givewp.com/)
GiveWP powers thousands of charity websites, NGOs, and fundraising platforms. Because it handles sensitive financial and donor data, a vulnerability here is highly impactful. An attacker exploiting object injection can escalate from a single plugin to compromising the entire WordPress installation and the underlying server.
---
## βοΈ Vulnerability Details
* **Root Cause:** `unserialize()` on untrusted input.
* **PHP Magic Methods:** PHP automatically invokes these during object lifecycle:
* The vulnerability stems from unsafe use of the PHP function unserialize() on user-controlled input. While unserialize() is designed to rebuild PHP data structures, it comes with a dangerous side effect: when objects are reconstructed, PHP automatically invokes magic methods.
## Magic Methods in PHP
* `__wakeup()` β triggered when an object is unserialized
* `__destruct()`, `__toString()`, `__get/__set()`, `__call/__callStatic()` β can be leveraged for malicious execution
* **Regex Validation:** GiveWP implemented regex checks to detect serialized input. While the new regex catches more data types, **regex cannot reliably prevent object injection**.
---
### Key insight:
With a crafted serialized object, the attacker sets object properties, and PHP itself executes the attackerβs logic by invoking the magic methods
### Regex Validation
GiveWP implemented regex-based validation to check if input was serialized.
Old Regex (incomplete)
β’ Only recognized arrays and objects.
β’ Other serialized types (string, int, bool, float, null) bypassed detection.
---
### New Regex (improved, but flawed)
β’ Recognizes all PHP serialized types.
β’ Blocks some trivial payloads.
β’ But the core problem remains: if unserialize() is used on user input, regex canβt save you.
This snippet was written to compare two different regex implementations:
β’ is_serialized_old() β the old version, which only detects arrays and objects.
β’ is_serialized_new() β the improved version, which recognizes all PHP serialized data types (arrays, objects, strings, integers, booleans, floats, and null).
We create a set of test values (array, object, string, integer, boolean, float, null), serialize them, and then check each one against both regex functions.
In simple terms:
And after running this code on your dokcer see on browser this resulte
## π₯ Exploit Demo
Step 1
Step 2: Create a vulnerable class
This class has a __wakeup() method that will execute automatically when unserialized.
Step 3: Craft payload
Step 4: Output
After the saveing file at this file you can see this exlpit
Exploit :
β’ Old Regex: FALSE β failed to detect the payload.
β’ New Regex: TRUE β detected it as serialized input.
β’ Executing: Hello RCE! β The payload was unserialized, and the magic method __wakeup() executed attacker-controlled code.
Prevention
β’ Do not use unserialize() on untrusted input. Replace it with json_decode() or other safer alternatives.
β’ Keep GiveWP and all WordPress plugins updated.
β’ Deploy a Web Application Firewall (WAF) to block malicious serialized payloads.
β’ Follow the Principle of Least Privilege: run PHP and database accounts with minimum required permissions.
**Results:**
* Old Regex: β fails to detect payload
* New Regex: β
detects serialized input but cannot prevent RCE
> Key insight: **Never rely on regex to secure unserialize()**. The safest approach is to avoid unserializing untrusted input altogether.
---
## π‘ Prevention
* Do **not** use `unserialize()` on untrusted input; prefer `json_decode()` or other safe alternatives.
* Keep GiveWP and all WordPress plugins updated.
* Deploy a Web Application Firewall (WAF) to block malicious payloads.
* Apply the Principle of Least Privilege for PHP and database accounts.
---
## π± Follow Our Weekly CVE Analysis
I run two Telegram channels dedicated to vulnerability research and exploitation:
1. **GO-TO CVE Weekly Episodes:**
Every week, we dive deep into a new CVE and share detailed analysis, demos, and insights.
π [Join us here](https://t.me/GOTOCVE)
2. **CVEdb β Exploit Archive:**
This channel archives **1-day exploits and custom PoCs** for CVEs. A great resource for researchers who want to see active exploitation techniques.
π [Join CVEdb](https://t.me/CVEdb)
> Follow the channels to stay up-to-date with the latest CVEs, exploitation techniques, and security research insights.
---
## π References
* [NVD CVE-2024-12877](https://nvd.nist.gov/vuln/detail/CVE-2024-12877)
* [Wordfence Analysis](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/give/givewp-donation-plugin-and-fundraising-platform-3192-unauthenticated-php-object-injection)
* [GiveWP Source](https://plugins.trac.wordpress.org/changeset/3212723/give/tags/3.19.3/src/Helpers/Utils.php)
---
## βοΈ Legal Disclaimer
This repository is strictly for **educational and research purposes**. Exploiting vulnerabilities without permission is **illegal and unethical**. The author is **not responsible for misuse**.