Description
The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.
Published: 2025-03-04
Score: 9.8 Critical
EPSS: 2.1% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The GiveWP Donations Widget plugin is vulnerable to PHP Object Injection through the untrusted 'card_address' parameter in the donation form. By sending crafted data, an unauthenticated attacker can deserialize malicious objects. The presence of a PHP Object Profiler (POP) chain allows the attacker to execute arbitrary code on the affected WordPress site, providing full control over confidentiality, integrity, and availability of the system.

Affected Systems

GiveWP – Donation Plugin and Fundraising Platform versions 3.19.4 and earlier are affected. These versions process the 'card_address' parameter without proper validation, leading to the injection vulnerability.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, and the EPSS score of 2% suggests a non‑negligible probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can reach the vulnerable endpoint via the public donations form, so the attack vector is likely unauthenticated web input.

Generated by OpenCVE AI on April 22, 2026 at 13:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the GiveWP plugin to version 3.19.5 or later to remove the deserialization flaw.
  • If an immediate upgrade is not possible, disable or uninstall the GiveWP plugin to eliminate the attack surface.
  • Apply strict input validation or filtering to the 'card_address' parameter to prevent arbitrary object deserialization, reducing the risk of injection (CWE‑502 mitigation).

Generated by OpenCVE AI on April 22, 2026 at 13:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7374 The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.
History

Tue, 04 Mar 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.
Title GiveWP – Donation Plugin and Fundraising Platform <= 3.19.4 - Unauthenticated PHP Object Injection
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:41.453Z

Reserved: 2025-01-30T21:22:37.640Z

Link: CVE-2025-0912

cve-icon Vulnrichment

Updated: 2025-03-04T16:26:15.825Z

cve-icon NVD

Status : Received

Published: 2025-03-04T04:15:11.390

Modified: 2025-03-04T04:15:11.390

Link: CVE-2025-0912

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:30:17Z

Weaknesses