AI description
CVE-2025-0912 is a critical vulnerability affecting the GiveWP WordPress donation plugin, specifically versions 3.19.4 and earlier. It stems from improper sanitization of the `card_address` parameter in donation forms, allowing unauthenticated attackers to inject malicious PHP objects. This vulnerability enables remote code execution (RCE) attacks. Exploiting this flaw involves leveraging a property-oriented programming (POP) chain within the plugin's code. This allows attackers to escalate the object injection vulnerability into full server compromise. Consequences can include arbitrary file deletion, database credential leaks, and backdoor installation via web shells. A patch is available in version 3.20.0 of the GiveWP plugin, which implements stricter input validation and removes the unsafe deserialization logic.
- Description
- The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.
- Source
- security@wordfence.com
- NVD status
- Analyzed
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- Hype score
- Not currently trending
به تازگی برای پلاگین Donation مربوط به Wordpress، آسیب پذیری با کد شناسایی CVE-2025-0912 و نمره آسیب پذیری 9.8 منتشر شده است. این آسیب پذیری که از نوع php deserialization می باشد ، باعث اجرای کد توسط هکر روی وب سایت آسیب پذیر و کنترل کامل آن می شود. https://t.co/Poz3aKY03t https:
@AmirHossein_sec
9 Mar 2025
43 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
به تازگی برای پلاگین Donation مربوط به Wordpress، آسیب پذیری با کد شناسایی CVE-2025-0912 و نمره آسیب پذیری 9.8 منتشر شده است. این آسیب پذیری که از نوع php deserialization می باشد ، باعث اجرای کد توسط هکر روی وب سایت آسیب پذیر و کنترل کامل آن می شود.
@cybernetic_cy
8 Mar 2025
80 Impressions
2 Retweets
5 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-0912: Critical Flaw Exposes Over 100,000 WordPress Donation Sites to RCE A severe security vulnerability has been discovered in GiveWP, the popular WordPress donation plugin, putting over 100,000 websites at significant risk. The vulnerability, tracked as CVE-2025-0912
@ishowcybersec
7 Mar 2025
65 Impressions
1 Retweet
2 Likes
0 Bookmarks
0 Replies
0 Quotes
WPプラグイン GiveWP の脆弱性(CVE-2025-0912)について国内のWPサイト約50万分を調査してみました。 ■ 103サイトがプラグインが導入 ■ 約74.8%(77サイト)がパッチ未適用のバージョン3.20.0未満を利用 GiveWP、日本ではそんなに普及していないのね...φ(´・ω・`)メモメモ https://t.co/nA0jfaJ6Jr
@motikan2010
7 Mar 2025
266 Impressions
1 Retweet
1 Like
2 Bookmarks
1 Reply
0 Quotes
WordPressのGiveWPプラグインの重大なセキュリティ欠陥(CVE-2025-0912)により10万以上のWordPressウェブサイトが認証なしのリモートコード実行(RCE)攻撃に晒されている。 この脆弱性は、寄付フォーム処理ロジックにおけるユーザー提供データの不適切な扱いから発生し、最大CVSS… https://t.co/Nl4Fu1r5za
@yousukezan
5 Mar 2025
772 Impressions
0 Retweets
5 Likes
1 Bookmark
0 Replies
0 Quotes
🔴 Una falla de seguridad en el plugin de donaciones GiveWP, identificada como CVE-2025-0912, expone a más de 100.000 sitios web de WordPress a ataques de ejecución remota de código (RCE) no autenticados. 🧉 https://t.co/voSfwOW68E
@MarquisioX
5 Mar 2025
31 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
A critical flaw (CVE-2025-0912) in the GiveWP WordPress donation plugin risks over 100k sites, allowing RCE via PHP Object Injection. Upgrade to version 3.20.0 to secure! 🔒 #WordPress #RCE #USA link: https://t.co/fDXqaad0Xb https://t.co/0KPbMBsZ5R
@TweetThreatNews
5 Mar 2025
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-0912: Critical Flaw Exposes Over 100,000 WordPress Donation Sites to RCE https://t.co/pnh9CTXJf0
@Dinosn
5 Mar 2025
3866 Impressions
26 Retweets
77 Likes
13 Bookmarks
1 Reply
0 Quotes
🚨🚨CVE-2025-0912 (CVSS 9.8): Critical PHP Object Injection in GiveWP WordPress Plugin! Unauthenticated RCE = attackers can hijack servers & run wild. ZoomEye Dork👉app="WordPress GiveWP Plugin" Over 6.5K+ vulnerable instances exposed on ZoomEye! ZoomEye Link:… https://t.co
@zoomeye_team
5 Mar 2025
387 Impressions
2 Retweets
4 Likes
2 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-0912 ⚠️🔴 CRITICAL (9.8) 🏢 givewp - GiveWP – Donation Plugin and Fundraising Platform 🏗️ * 🔗 https://t.co/T96Yhw6vvh 🔗 https://t.co/PVLIJsmhnk 🔗 https://t.co/pJBjpq0Hwt 🔗 https://t.co/2OdSzy6KMB #CyberCron #VulnAlert #InfoSec https://t.co/dtxSRmhQCA
@cybercronai
4 Mar 2025
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-0912 PHP Object Injection in WordPress Donations Widget Plugin Leads to Remote Code Execution https://t.co/RsEWk1h4ZV
@VulmonFeeds
4 Mar 2025
44 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:givewp:givewp:*:*:*:*:*:wordpress:*:*",
"vulnerable": true,
"matchCriteriaId": "04645A10-A7FC-4550-9321-6F01E2FBF448",
"versionEndExcluding": "3.20.0"
}
],
"operator": "OR"
}
]
}
]