🔐 CVE Alert

CVE-2025-0912

CRITICAL 9.8

GiveWP – Donation Plugin and Fundraising Platform <= 3.19.4 - Unauthenticated PHP Object Injection

CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
0th

The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.

CWE CWE-502
Vendor stellarwp
Product givewp – donation plugin and fundraising platform
Published Mar 4, 2025
Last Updated Apr 8, 2026
Stay Ahead of the Next One

Get instant alerts for stellarwp givewp – donation plugin and fundraising platform

Be the first to know when new critical vulnerabilities affecting stellarwp givewp – donation plugin and fundraising platform are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

stellarwp / GiveWP – Donation Plugin and Fundraising Platform
0 ≤ 3.19.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/8a8ae1b0-e9a0-4179-970b-dbcb0642547c?source=cve github.com: https://github.com/impress-org/givewp/pull/7679/files plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3234114/give/trunk/src/Donors/Repositories/DonorRepository.php plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3234114/give/trunk/src/Donations/Properties/BillingAddress.php plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3234114/give/trunk/src/Donations/Repositories/DonationRepository.php plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3234114%40give&new=3234114%40give&sfp_email=&sfph_mail=

Credits

dream hard