CVE-2025-0912

CVE-2025-0912 is a PHP Object Injection vulnerability (CWE-502) affecting the Donations Widget plugin for WordPress in all versions up to and including 3.19.4. The flaw arises from deserialization of untrusted input supplied via the 'card_address' parameter in the Donation Form, enabling attackers to inject a PHP Object. The presence of a POP chain in the plugin escalates this to remote code execution. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By submitting crafted input through the Donation Form's 'card_address' parameter, they can inject malicious PHP Objects, leveraging the available POP chain to execute arbitrary code on the server hosting the vulnerable WordPress site.

Patches addressing the vulnerability are available in the GiveWP plugin repository, as evidenced by changesets in the WordPress plugins trac, including modifications to BillingAddress.php, DonationRepository.php, and DonorRepository.php (changeset 3234114), along with a related GitHub pull request. Security practitioners should update to a patched version of the plugin to mitigate the issue.