Cyber Resilience

CVE-2025-0912

CriticalRCE

Published: 04 March 2025

Published
04 March 2025
Modified
05 March 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0269 86.2th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0912 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Givewp Givewp. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The Donations Widget plugin for WordPress, also known as GiveWP, is vulnerable to PHP Object Injection in all versions through 3.19.4. The flaw stems from unsafe deserialization of untrusted input supplied via the Donation Form's 'card_address' parameter, which permits an attacker to inject a PHP object; the presence of a usable POP chain then enables remote code execution. The issue is tracked as CWE-502 and carries a CVSS 3.1 score of 9.8.

Unauthenticated attackers can exploit the vulnerability over the network by submitting a crafted donation form. Successful exploitation grants the attacker the ability to execute arbitrary code on the affected WordPress site, potentially leading to full site compromise.

Public references point to patches that address the deserialization flaw. The changes appear in GiveWP pull request 7679 and corresponding WordPress plugin repository updates to files including BillingAddress.php, DonationRepository.php, and DonorRepository.php; site owners should apply the latest version of the plugin to eliminate the vulnerable code paths. The associated EPSS scores remain low and show only modest movement.

EU & UK References

Vulnerability details

The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. This makes it possible for unauthenticated attackers…

more

to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The PHP object injection vulnerability in a public-facing WordPress plugin directly enables unauthenticated remote code execution via exploitation of an Internet-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22777Same product: Givewp Givewp
CVE-2024-12877Same product: Givewp Givewp
CVE-2025-2025Same product: Givewp Givewp
CVE-2023-47183Same product: Givewp Givewp
CVE-2024-13770Shared CWE-502
CVE-2026-27303Shared CWE-502
CVE-2025-53586Shared CWE-502
CVE-2025-64353Shared CWE-502
CVE-2025-31047Shared CWE-502
CVE-2026-27096Shared CWE-502

Affected Assets

givewp
givewp
≤ 3.20.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the known PHP object injection flaw by updating the Donations Widget plugin beyond version 3.19.4 directly prevents exploitation leading to remote code execution.

prevent

Validating and sanitizing untrusted input in the 'card_address' parameter prevents injection of malicious PHP objects via deserialization.

preventdetect

Verifying software integrity detects unauthorized modifications or ensures only patched plugin code executes, mitigating RCE via POP chains.

References