{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-0912", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-01-30T21:22:37.640Z", "datePublished": "2025-03-04T03:37:59.369Z", "dateUpdated": "2026-04-08T17:05:41.453Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:41.453Z"}, "affected": [{"vendor": "stellarwp", "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.19.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution."}], "title": "GiveWP \u2013 Donation Plugin and Fundraising Platform <= 3.19.4 - Unauthenticated PHP Object Injection", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8a8ae1b0-e9a0-4179-970b-dbcb0642547c?source=cve"}, {"url": "https://github.com/impress-org/givewp/pull/7679/files"}, {"url": "https://plugins.trac.wordpress.org/changeset/3234114/give/trunk/src/Donors/Repositories/DonorRepository.php"}, {"url": "https://plugins.trac.wordpress.org/changeset/3234114/give/trunk/src/Donations/Properties/BillingAddress.php"}, {"url": "https://plugins.trac.wordpress.org/changeset/3234114/give/trunk/src/Donations/Repositories/DonationRepository.php"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3234114%40give&new=3234114%40give&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-502 Deserialization of Untrusted Data", "cweId": "CWE-502", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "dream hard"}], "timeline": [{"time": "2025-03-03T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-04T16:26:11.247512Z", "id": "CVE-2025-0912", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-04T16:26:20.121Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-0912", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-04T16:26:11.247512Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-04T16:26:15.825Z"}}], "cna": {"title": "GiveWP \u2013 Donation Plugin and Fundraising Platform <= 3.19.4 - Unauthenticated PHP Object Injection", "credits": [{"lang": "en", "type": "finder", "value": "dream hard"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "givewp", "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.19.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-03T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8a8ae1b0-e9a0-4179-970b-dbcb0642547c?source=cve"}, {"url": "https://github.com/impress-org/givewp/pull/7679/files"}, {"url": "https://plugins.trac.wordpress.org/changeset/3234114/give/trunk/src/Donors/Repositories/DonorRepository.php"}, {"url": "https://plugins.trac.wordpress.org/changeset/3234114/give/trunk/src/Donations/Properties/BillingAddress.php"}, {"url": "https://plugins.trac.wordpress.org/changeset/3234114/give/trunk/src/Donations/Repositories/DonationRepository.php"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3234114%40give&new=3234114%40give&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-03-04T03:37:59.369Z"}}}, "cveMetadata": {"cveId": "CVE-2025-0912", "state": "PUBLISHED", "dateUpdated": "2025-03-04T16:26:20.121Z", "dateReserved": "2025-01-30T21:22:37.640Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-04T03:37:59.369Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution."}], "id": "CVE-2025-0912", "lastModified": "2025-03-04T04:15:11.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-03-04T04:15:11.390", "references": [{"source": "security@wordfence.com", "url": "https://github.com/impress-org/givewp/pull/7679/files"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3234114/give/trunk/src/Donations/Properties/BillingAddress.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3234114/give/trunk/src/Donations/Repositories/DonationRepository.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3234114/give/trunk/src/Donors/Repositories/DonorRepository.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3234114%40give&new=3234114%40give&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8a8ae1b0-e9a0-4179-970b-dbcb0642547c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T13:27:11.587059+00:00", "value": {"mitigation_remediation": ["Upgrade the GiveWP plugin to version 3.19.5 or later to remove the deserialization flaw.", "If an immediate upgrade is not possible, disable or uninstall the GiveWP plugin to eliminate the attack surface.", "Apply strict input validation or filtering to the 'card_address' parameter to prevent arbitrary object deserialization, reducing the risk of injection (CWE\u2011502 mitigation)."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "GiveWP \u2013 Donation Plugin and Fundraising Platform versions 3.19.4 and earlier are affected. These versions process the 'card_address' parameter without proper validation, leading to the injection vulnerability.", "description_and_impact": "The GiveWP Donations Widget plugin is vulnerable to PHP Object Injection through the untrusted 'card_address' parameter in the donation form. By sending crafted data, an unauthenticated attacker can deserialize malicious objects. The presence of a PHP Object Profiler (POP) chain allows the attacker to execute arbitrary code on the affected WordPress site, providing full control over confidentiality, integrity, and availability of the system.", "risk_and_exploitability": "The CVSS score of 9.8 indicates critical severity, and the EPSS score of 2% suggests a non\u2011negligible probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can reach the vulnerable endpoint via the public donations form, so the attack vector is likely unauthenticated web input."}}}}, "created": "2026-04-22T13:30:17.929651+00:00", "updated": "2026-04-22T13:30:17.929661+00:00", "vendors": []}