A essential safety flaw within the broadly used GiveWP – Donation Plugin and Fundraising Platform has left over 10,000 WordPress web sites susceptible to distant code execution assaults since March 3, 2025.
Tracked as CVE-2025-0912, the vulnerability permits unauthenticated attackers to hijack websites by exploiting a deserialization flaw in variations 3.19.4 and earlier.
Vulnerability Overview
The vulnerability stems from improper sanitization of the card_address parameter in donation varieties.
Attackers can inject malicious PHP objects into net servers, leveraging a property-oriented programming (POP) chain to execute arbitrary code and acquire full management over affected websites.
With a CVSS rating of 9.8 (Important), the flaw permits menace actors to steal delicate donor knowledge, deploy backdoors, or redirect transactions with out authentication.
Safety researcher dream laborious found the problem throughout routine code evaluation, noting that deserialization of untrusted enter bypassed all safety checks within the plugin’s fee processing workflow.
“This vulnerability is an ideal storm: widespread utilization, trivial exploitation, and excessive affect. Attackers might deface websites, siphon funds, or escalate privileges inside minutes,” the researcher warned.
Affect and Exploitation Dangers
GiveWP powers donation methods for nonprofits, spiritual organizations, and political campaigns worldwide, dealing with thousands and thousands in transactions yearly. Compromised websites danger:
- Monetary fraud via modified fee gateways
- Knowledge breaches exposing donor names, emails, and billing addresses
- search engine optimization poisoning by way of injected malicious redirects
- Full web site takeover for internet hosting phishing content material
Wordfence Intelligence confirmed energetic scanning for susceptible websites starting March 4, with at the very least three distinct exploit chains noticed within the wild.
The plugin’s reputation amongst mission-critical entities heightens issues about unpatched cases.
Mitigation and Response
GiveWP launched model 3.20.0 on March 4, introducing validation checks and restricted knowledge deserialization. Directors should instantly:
- Replace to the patched model
- Audit server logs for suspicious POST requests to /wp-json/give/v1/donations
- Revoke and regenerate API keys for fee processors
“Organizations utilizing older variations ought to assume compromise,” urged Wordfence’s menace evaluation crew. “Conduct full malware scans and monitor donor accounts for irregularities”.
The cybersecurity neighborhood has criticized GiveWP’s preliminary response timeline, noting the patch arrived 48 hours after public disclosure.
Open-source maintainers emphasised the necessity for stricter code evaluation processes, significantly in plugins dealing with monetary knowledge.
As of March 5, over 7,000 websites stay unpatched in keeping with WordPress.org telemetry. With PoC exploits circulating on hacker boards, the window for proactive protection is quickly closing.
Organizations counting on GiveWP should prioritize updates to stop irreversible reputational and monetary harm.
Accumulate Risk Intelligence on the Newest Malware and Phishing Assaults with ANY.RUN TI Lookup -> Strive without spending a dime