Critical severity9.8NVD Advisory· Published Mar 4, 2025· Updated Jun 17, 2026
CVE-2025-0912
CVE-2025-0912
Description
The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
4<=3.19.4+ 1 more
- (no CPE)range: <=3.19.4
- (no CPE)
- stellarwp/GiveWP – Donation Plugin and Fundraising Platformv5Range: 0
Patches
Vulnerability mechanics
References
6- github.com/impress-org/givewp/pull/7679/filesnvdPatch
- plugins.trac.wordpress.org/changeset/3234114/give/trunk/src/Donations/Properties/BillingAddress.phpnvdPatch
- plugins.trac.wordpress.org/changeset/3234114/give/trunk/src/Donations/Repositories/DonationRepository.phpnvdPatch
- plugins.trac.wordpress.org/changeset/3234114/give/trunk/src/Donors/Repositories/DonorRepository.phpnvdPatch
- plugins.trac.wordpress.org/changesetnvdPatch
- www.wordfence.com/threat-intel/vulnerabilities/id/8a8ae1b0-e9a0-4179-970b-dbcb0642547cnvdThird Party Advisory
News mentions
0No linked articles in our index yet.