A critical security vulnerability, identified as CVE-2025-0912, has been discovered in the GiveWP WordPress donation plugin. This flaw potentially exposes over 100,000 WordPress websites to remote code execution (RCE) attacks. The vulnerability lies in how the plugin handles the card_address parameter during transaction processing.
Technical deep dive
The vulnerability is a PHP Object Injection issue, stemming from insufficient sanitization and validation of user-supplied input. Specifically, versions of the GiveWP plugin up to and including 3.19.4 are susceptible. An unauthenticated attacker can exploit this by injecting malicious PHP objects through the card_address parameter. When the application attempts to deserialize this crafted object, it can lead to arbitrary code execution within the context of the web server.
The Common Vulnerability Scoring System (CVSS) has rated this vulnerability as 9.8 out of 10, classifying it as critical. This high score reflects the ease of exploitation and the potential impact, which includes complete system compromise.
Impact assessment
Successful exploitation of this vulnerability allows an attacker to:
- Execute arbitrary system commands on the compromised server.
- Gain unauthorized access to sensitive data, including donor information and financial records.
- Modify website content, inject malware, or deface the site.
- Potentially pivot to other systems within the network, depending on the server’s configuration.
Given the widespread use of the GiveWP plugin for donation collection, the potential for widespread damage is significant.
Remediation steps
Website administrators using the GiveWP plugin are strongly advised to take the following steps immediately:
- Upgrade to GiveWP version 3.20.0: This version includes a patch that addresses the vulnerability. Ensure the update is applied promptly to mitigate the risk.
- Conduct a thorough security audit: Examine server logs for any suspicious activity that might indicate past exploitation attempts.
- Implement Web Application Firewall (WAF) rules: Deploy WAF rules to filter out malicious requests targeting the
card_addressparameter. - Monitor network traffic: Keep a close watch on network traffic for unusual patterns that could indicate ongoing attacks.
CVE-2025-0912 represents a serious threat to WordPress websites using the GiveWP plugin. Given the ease of exploitation and the potential for complete system compromise, immediate action is required. By upgrading to version 3.20.0 and implementing additional security measures, website administrators can significantly reduce their risk.