CVE-2025-0912
Published: 04 March 2025
Summary
CVE-2025-0912 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Givewp Givewp. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The Donations Widget plugin for WordPress, also known as GiveWP, is vulnerable to PHP Object Injection in all versions through 3.19.4. The flaw stems from unsafe deserialization of untrusted input supplied via the Donation Form's 'card_address' parameter, which permits an attacker to inject a PHP object; the presence of a usable POP chain then enables remote code execution. The issue is tracked as CWE-502 and carries a CVSS 3.1 score of 9.8.
Unauthenticated attackers can exploit the vulnerability over the network by submitting a crafted donation form. Successful exploitation grants the attacker the ability to execute arbitrary code on the affected WordPress site, potentially leading to full site compromise.
Public references point to patches that address the deserialization flaw. The changes appear in GiveWP pull request 7679 and corresponding WordPress plugin repository updates to files including BillingAddress.php, DonationRepository.php, and DonorRepository.php; site owners should apply the latest version of the plugin to eliminate the vulnerable code paths. The associated EPSS scores remain low and show only modest movement.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7374
Vulnerability details
The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. This makes it possible for unauthenticated attackers…
more
to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The PHP object injection vulnerability in a public-facing WordPress plugin directly enables unauthenticated remote code execution via exploitation of an Internet-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the known PHP object injection flaw by updating the Donations Widget plugin beyond version 3.19.4 directly prevents exploitation leading to remote code execution.
Validating and sanitizing untrusted input in the 'card_address' parameter prevents injection of malicious PHP objects via deserialization.
Verifying software integrity detects unauthorized modifications or ensures only patched plugin code executes, mitigating RCE via POP chains.