heise PlusAbo
Anzeige

WordPress plug-in: Critical loophole with maximum rating in GiveWP closed

Attackers can gain control of WordPress websites via a vulnerability in the GiveWP donation plug-in. A security patch is available.

listen Print view
Word cloud with words related to Wordpress. Symbol image

(Image: serato/shutterstock.com)

1 min. read
Security
By

If the WordPress plug-in GiveWP is installed, attackers can attack websites created with the content management system (CMS). The vulnerability is considered"critical" and admins should install the repaired version as soon as possible.

Website operators can use the extension to implement donation campaigns, among other things.

Videos by heise

Critical vulnerability

In a warning message, security researchers from Wordfence state that the vulnerability (CVE-2024-5932) is classified with the highest possible CVSS score of 10 out of 10. Due to insufficient checks in the context of the give_title parameter, attackers can execute malicious code and compromise web servers.

All GiveWP versions up to and including 3.14.1 are said to be affected. The researchers state that the developers have closed the vulnerability in version 3.14.2. The current version is 3.15.0. The plug-in currently has 100,000 active installations.

(des)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten