CVE-2025-22777
Published: 13 January 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-22777 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the StellarWP GiveWP plugin for WordPress, enabling object injection. The issue affects all versions of GiveWP up to and including 3.19.3. Published on January 13, 2025, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impact.
Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows attackers to achieve high levels of impact on confidentiality, integrity, and availability, potentially leading to full system compromise through object injection in PHP.
Advisories from Patchstack and SecurityOnline detail the vulnerability and recommend mitigation; security practitioners should consult these sources for patch availability and update instructions for affected GiveWP installations.
The GiveWP plugin has over 100,000 active WordPress installations, amplifying the potential exposure of this critical flaw. No public information on real-world exploitation is available in the provided details.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated PHP Object Injection in public-facing WordPress GiveWP plugin enables T1190 (Exploit Public-Facing Application) for potential RCE/code injection/SQLi/path traversal, and facilitates T1499.004 (Application or System Exploitation) for denial of service.