CVE-2025-0912

Published Mar 4, 2025

Last updated 11 days ago

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-0912 is a critical vulnerability affecting the GiveWP WordPress donation plugin, specifically versions 3.19.4 and earlier. It stems from improper sanitization of the `card_address` parameter in donation forms, allowing unauthenticated attackers to inject malicious PHP objects. This vulnerability enables remote code execution (RCE) attacks. Exploiting this flaw involves leveraging a property-oriented programming (POP) chain within the plugin's code. This allows attackers to escalate the object injection vulnerability into full server compromise. Consequences can include arbitrary file deletion, database credential leaks, and backdoor installation via web shells. A patch is available in version 3.20.0 of the GiveWP plugin, which implements stricter input validation and removes the unsafe deserialization logic.

Description
The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.
Source
security@wordfence.com
NVD status
Analyzed

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@wordfence.com
CWE-502
nvd@nist.gov
CWE-502

Social media

Hype score
Not currently trending
  1. به تازگی برای پلاگین Donation مربوط به Wordpress، آسیب پذیری با کد شناسایی CVE-2025-0912 و نمره آسیب پذیری 9.8 منتشر شده است. این آسیب پذیری که از نوع php deserialization می باشد ، باعث اجرای کد توسط هکر روی وب سایت آسیب پذیر و کنترل کامل آن می شود. https://t.co/Poz3aKY03t https:

    @AmirHossein_sec

    9 Mar 2025

    43 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. به تازگی برای پلاگین Donation مربوط به Wordpress، آسیب پذیری با کد شناسایی CVE-2025-0912 و نمره آسیب پذیری 9.8 منتشر شده است. این آسیب پذیری که از نوع php deserialization می باشد ، باعث اجرای کد توسط هکر روی وب سایت آسیب پذیر و کنترل کامل آن می شود.

    @cybernetic_cy

    8 Mar 2025

    80 Impressions

    2 Retweets

    5 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-0912: Critical Flaw Exposes Over 100,000 WordPress Donation Sites to RCE A severe security vulnerability has been discovered in GiveWP, the popular WordPress donation plugin, putting over 100,000 websites at significant risk. The vulnerability, tracked as CVE-2025-0912

    @ishowcybersec

    7 Mar 2025

    65 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. WPプラグイン GiveWP の脆弱性(CVE-2025-0912)について国内のWPサイト約50万分を調査してみました。 ■ 103サイトがプラグインが導入 ■ 約74.8%(77サイト)がパッチ未適用のバージョン3.20.0未満を利用 GiveWP、日本ではそんなに普及していないのね...φ(´・ω・`)メモメモ https://t.co/nA0jfaJ6Jr

    @motikan2010

    7 Mar 2025

    266 Impressions

    1 Retweet

    1 Like

    2 Bookmarks

    1 Reply

    0 Quotes

  5. WordPressのGiveWPプラグインの重大なセキュリティ欠陥(CVE-2025-0912)により10万以上のWordPressウェブサイトが認証なしのリモートコード実行(RCE)攻撃に晒されている。 この脆弱性は、寄付フォーム処理ロジックにおけるユーザー提供データの不適切な扱いから発生し、最大CVSS… https://t.co/Nl4Fu1r5za

    @yousukezan

    5 Mar 2025

    772 Impressions

    0 Retweets

    5 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  6. 🔴 Una falla de seguridad en el plugin de donaciones GiveWP, identificada como CVE-2025-0912, expone a más de 100.000 sitios web de WordPress a ataques de ejecución remota de código (RCE) no autenticados. 🧉 https://t.co/voSfwOW68E

    @MarquisioX

    5 Mar 2025

    31 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  7. A critical flaw (CVE-2025-0912) in the GiveWP WordPress donation plugin risks over 100k sites, allowing RCE via PHP Object Injection. Upgrade to version 3.20.0 to secure! 🔒 #WordPress #RCE #USA link: https://t.co/fDXqaad0Xb https://t.co/0KPbMBsZ5R

    @TweetThreatNews

    5 Mar 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. CVE-2025-0912: Critical Flaw Exposes Over 100,000 WordPress Donation Sites to RCE https://t.co/pnh9CTXJf0

    @Dinosn

    5 Mar 2025

    3866 Impressions

    26 Retweets

    77 Likes

    13 Bookmarks

    1 Reply

    0 Quotes

  9. 🚨🚨CVE-2025-0912 (CVSS 9.8): Critical PHP Object Injection in GiveWP WordPress Plugin! Unauthenticated RCE = attackers can hijack servers & run wild. ZoomEye Dork👉app="WordPress GiveWP Plugin" Over 6.5K+ vulnerable instances exposed on ZoomEye! ZoomEye Link:… https://t.co

    @zoomeye_team

    5 Mar 2025

    387 Impressions

    2 Retweets

    4 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  10. 🚨 CVE-2025-0912 ⚠️🔴 CRITICAL (9.8) 🏢 givewp - GiveWP – Donation Plugin and Fundraising Platform 🏗️ * 🔗 https://t.co/T96Yhw6vvh 🔗 https://t.co/PVLIJsmhnk 🔗 https://t.co/pJBjpq0Hwt 🔗 https://t.co/2OdSzy6KMB #CyberCron #VulnAlert #InfoSec https://t.co/dtxSRmhQCA

    @cybercronai

    4 Mar 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. CVE-2025-0912 PHP Object Injection in WordPress Donations Widget Plugin Leads to Remote Code Execution https://t.co/RsEWk1h4ZV

    @VulmonFeeds

    4 Mar 2025

    44 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

Configurations