PHP Object Injection Vulnerability in Donations Widget Plugin for WordPress
CVE-2025-0912

9.8CRITICAL

Key Information:

Vendor
GiveWP
Status
GiveWP – Donation Plugin And Fundraising Platform
Vendor
CVE Published:
4 March 2025

Badges

📈 Score: 388👾 Exploit Exists📰 News Worthy

What is CVE-2025-0912?

CVE-2025-0912 is a vulnerability identified in the Donations Widget plugin for WordPress, created by GiveWP. This plugin is utilized by various organizations to manage and facilitate online donations. The vulnerability is rooted in a PHP Object Injection flaw, which allows unauthenticated attackers to manipulate deserialized input from the donation form. If exploited, this can lead to severe consequences for organizations, including unauthorized system access and remote code execution.

Technical Details

The vulnerability affects all versions of the Donations Widget plugin up to and including version 3.19.4. The core issue stems from the improper handling of the 'card_address' parameter, which allows attackers to inject malicious PHP objects during the deserialization process. The presence of a Property Oriented Programming (POP) chain can further enable attackers to execute arbitrary code on the server, raising the level of threat significantly.

Potential Impact of CVE-2025-0912

  1. Remote Code Execution: Attackers can leverage this vulnerability to execute any PHP code on the server, potentially taking control of the web application and the underlying system.

  2. Data Breaches: Unauthorized access can lead to the exfiltration of sensitive data, including donor information, financial records, and personal details, resulting in privacy violations and loss of trust.

  3. Increased Attack Surfaces: With access gained through the vulnerability, attackers could deploy additional malware or establish backdoors, further compromising the organization’s security posture and exposing them to subsequent attacks.

Affected Version(s)

GiveWP – Donation Plugin and Fundraising Platform * <= 3.19.4

News Articles

favicon imageCybersecurityNews

Wordpress Plugin Vulnerability Exposes 10,000 Sites to Code Execution Attacks

A critical security flaw in the GiveWP Donation Plugin tracked as CVE-2025-0912, has exposed over 100,000 WordPress websites to unauthenticated remote code execution (RCE) attacks. 

5 days ago

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://github.com/impress-org/givewp/pull/7679/files
https://plugins.trac.wordpress.org/changeset/3234114/give...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by CybersecurityNews

  • Vulnerability published

  • Vulnerability Reserved

Credit

dream hard
.