WordPress Plugin Vulnerabilities

GiveWP < 3.20.0 - Unauthenticated PHP Object Injection

Description

The plugin is vulnerable to PHP Object Injection via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.

Affects Plugins

Plugin icon
give
Fixed in 3.20.0

References

CVE
CVE-2025-0912
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8a8ae1b0-e9a0-4179-970b-dbcb0642547c

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
dream hard
Verified
No
WPVDB ID
e27044bd-daab-47e6-b399-de94c45885c5

Timeline

Publicly Published
2025-03-03 (about 1 year ago)
Added
2025-03-06 (about 1 year ago)
Last Updated
2025-03-06 (about 1 year ago)

Other

Published
Title
Published
2026-01-13
Title
Vivagh <= 2.4 - Authenticated (Subscriber+) PHP Object Injection
Published
2024-09-24
Title
Prisna GWT - Google Website Translator < 1.4.12 - Authenticated (Admin+) PHP Object Injection
Published
2016-03-02
Title
Easy Digital Downloads < 2.5.8 - PHP Object Injection
Published
2025-01-03
Title
WPGuppy < 1.1.1 - Unauthenticated PHP Object Injection
Published
2017-10-02
Title
Appointments <= 2.2.1 - Unauthenticated PHP Object Injection