The GiveWP plugin in WordPress has a deserialization weakness that allows a malicious actor to inject PHP objects. When untrusted data is deserialized without validation, an attacker can craft a payload that causes the plugin to instantiate arbitrary PHP objects, potentially leading to code execution, data tampering, or the compromise of the entire WordPress site. This flaw is a classic example of the CWE-502 weakness, where an application blindly trusts external data while performing deserialization.

WordPress sites running the StellarWP GiveWP plugin version 3.19.3 or earlier are vulnerable. The specific affected product is GiveWP, used in WordPress installations that require donation handling. No further vendor or version filters are listed, so any installation of these plugin versions is considered at risk.

The CVSS score of 9.8 classifies this as critical, indicating a high degree of impact. The EPSS score is reported as less than 1 percent, suggesting that exploitation is not widely observed yet, but the severity remains high. The vulnerability is not listed in the CISA KEV catalog, so there is no publicly documented exploit at the time of this analysis. The likely attack vector is remote via a crafted serialized payload submitted through any exposed user input or API that the plugin processes. An attacker can thus gain full control of the affected WordPress environment if the plugin deserializes the data without proper safeguards.