A critical security flaw in the GiveWP Donation Plugin tracked as CVE-2025-0912, has exposed over 100,000 WordPress websites to unauthenticated remote code execution (RCE) attacks.
The vulnerability, scoring a maximum CVSS 9.8 (Critical) severity rating, originates from improper handling of user-supplied data in the plugin’s donation form processing logic.
Exploiting this flaw allows attackers to inject malicious PHP objects via deserialization of untrusted input, leveraging a POP (Property-Oriented Programming) chain to achieve full server compromise.
WordPress Donation Plugin Vulnerability
The vulnerability resides in the plugin’s handling of the card_address parameter within donation forms.
Versions up to and including 3.19.4 fail to validate or sanitize serialized data passed through this field, enabling PHP Object Injection (CWE-502).
During donation processing, the give_process_donation_form() function deserializes user input without proper checks, allowing attackers to craft payloads that instantiate arbitrary PHP objects.
A critical factor enabling RCE is the presence of exploitable POP chains in the plugin’s codebase. These chains allow attackers to string together gadget methods such as destructors or wakeup functions to escalate object injection into system command execution, reads Wordfence report.
This flaw bypasses WordPress’s security nonces and requires no authentication, making it accessible to any external attacker. Successful exploitation enables:
- Arbitrary file deletion (including wp-config.php)
- Database credential extraction
- Backdoor installation via web shells
With GiveWP powering donation systems for nonprofits, religious organizations, and political campaigns, compromised sites risk financial fraud, donor data theft, and reputational damage.
Attackers could deface websites, redirect donations, or deploy cryptocurrency miners. The plugin’s integration with payment gateways like PayPal and Stripe raises concerns about secondary breaches of transactional systems.
Security analysts at Defiant warn that over 30% of affected sites remain unpatched despite the availability of version 3.20.0, which fixes the issue by implementing strict input validation and removing unsafe deserialization.
Mitigations
Website administrators must:
- Immediately update to GiveWP 3.20.0 or later
- Audit server logs for suspicious POST requests to /wp-json/givewp/v3/donations
- Deploy Web Application Firewall (WAF) rules blocking serialized data in card_address parameters
- Monitor for unauthorized file changes or new admin users
For sites unable to patch immediately, temporary mitigation involves disabling the donations widget or restricting form submissions to reCAPTCHA-verified users.
While no active exploits have been observed yet, the vulnerability’s simplicity and high impact make it a prime target for ransomware groups.
WordPress security teams urge organizations using GiveWP to subscribe to vulnerability disclosure feeds and implement atomic security measures like MalCare’s real-time exploit prevention.
With over 43% of all websites running WordPress, this vulnerability underscores the critical need for rigorous third-party plugin audits and automated patch management in nonprofit web infrastructures.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free