CVE-2025-0912

CriticalRCE

Published: 04 March 2025

Published

04 March 2025

Modified

05 March 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0269 86.0th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0912 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Givewp Givewp. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Remediating the known PHP object injection flaw by updating the Donations Widget plugin beyond version 3.19.4 directly prevents exploitation leading to remote code execution.

SI-10 Information Input Validation good match

prevent

Validating and sanitizing untrusted input in the 'card_address' parameter prevents injection of malicious PHP objects via deserialization.

SI-7 Software, Firmware, and Information Integrity partial match

preventdetect

Verifying software integrity detects unauthorized modifications or ensures only patched plugin code executes, mitigating RCE via POP chains.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The PHP object injection vulnerability in a public-facing WordPress plugin directly enables unauthenticated remote code execution via exploitation of an Internet-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. This makes it possible for unauthenticated attackers…

to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.

Deeper analysisAI

CVE-2025-0912 is a PHP Object Injection vulnerability (CWE-502) affecting the Donations Widget plugin for WordPress in all versions up to and including 3.19.4. The flaw arises from deserialization of untrusted input supplied via the 'card_address' parameter in the Donation Form, enabling attackers to inject a PHP Object. The presence of a POP chain in the plugin escalates this to remote code execution. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By submitting crafted input through the Donation Form's 'card_address' parameter, they can inject malicious PHP Objects, leveraging the available POP chain to execute arbitrary code on the server hosting the vulnerable WordPress site.

Patches addressing the vulnerability are available in the GiveWP plugin repository, as evidenced by changesets in the WordPress plugins trac, including modifications to BillingAddress.php, DonationRepository.php, and DonorRepository.php (changeset 3234114), along with a related GitHub pull request. Security practitioners should update to a patched version of the plugin to mitigate the issue.