CVE-2025-0912 Overview
The Donations Widget plugin (GiveWP) for WordPress contains a PHP Object Injection vulnerability in all versions up to and including 3.19.4. The vulnerability exists due to insecure deserialization of untrusted input from the Donation Form through the card_address parameter. This allows unauthenticated attackers to inject malicious PHP objects, and with the presence of a POP (Property-Oriented Programming) chain, attackers can achieve remote code execution on vulnerable WordPress installations.
Critical Impact
Unauthenticated remote code execution via PHP Object Injection through the donation form, potentially allowing complete server compromise.
Affected Products
- GiveWP Donations Widget versions up to and including 3.19.4
- WordPress installations running vulnerable GiveWP plugin versions
- Any site with public-facing donation forms using the affected plugin
Discovery Timeline
- March 4, 2025 - CVE-2025-0912 published to NVD
- March 5, 2025 - Last updated in NVD database
Technical Details for CVE-2025-0912
Vulnerability Analysis
This PHP Object Injection vulnerability (CWE-502: Deserialization of Untrusted Data) affects the GiveWP donation plugin's handling of billing address information. The vulnerability stems from the plugin's failure to properly validate and sanitize serialized data submitted through donation forms before deserializing it.
The attack can be executed without authentication, as the donation form is typically exposed to unauthenticated users. When combined with an existing POP chain within the WordPress ecosystem or the plugin's codebase, the injected object can trigger a chain of method calls that ultimately result in arbitrary code execution.
The affected components include:
- BillingAddress.php - Properties handling for billing addresses
- DonationRepository.php - Repository handling donation data
- DonorRepository.php - Repository handling donor information
Root Cause
The root cause is the use of PHP's unserialize() function on user-controlled input from the card_address parameter without proper validation or sanitization. PHP deserialization is inherently dangerous when processing untrusted data because it can instantiate arbitrary objects and trigger magic methods like __wakeup() or __destruct() that may execute malicious code.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can craft a malicious serialized PHP object payload and submit it through the donation form's card_address field. The vulnerable code deserializes this input, instantiating the attacker's object. If a suitable POP chain exists (a sequence of classes with exploitable magic methods), the attacker can chain method calls to achieve remote code execution.
The attack flow involves:
- Identifying a vulnerable GiveWP installation
- Crafting a serialized PHP object containing a POP chain
- Submitting the malicious payload via the donation form
- The server deserializes the payload and executes the POP chain
- Arbitrary code execution occurs on the server
Detection Methods for CVE-2025-0912
Indicators of Compromise
- Unusual serialized data patterns in web server logs, particularly in POST requests to donation form endpoints
- PHP objects containing suspicious class names in card_address parameters
- Unexpected PHP process behavior or file system modifications following donation form submissions
- Web shell files appearing in WordPress directories
Detection Strategies
- Monitor web application firewall logs for serialized PHP object patterns (strings starting with O: followed by object definitions)
- Implement regex-based detection for common PHP serialization attack patterns in HTTP request bodies
- Review WordPress access logs for anomalous POST requests to GiveWP donation endpoints
- Deploy runtime application self-protection (RASP) solutions to detect deserialization attacks
Monitoring Recommendations
- Enable detailed logging for all donation form submissions
- Configure alerting for POST requests containing serialized object patterns
- Monitor server resource usage for unexpected PHP process activity
- Implement file integrity monitoring on WordPress core and plugin directories
How to Mitigate CVE-2025-0912
Immediate Actions Required
- Update GiveWP (Donations Widget) plugin to a version newer than 3.19.4 immediately
- Review web server logs for potential exploitation attempts prior to patching
- Conduct a security assessment to verify no compromise has occurred
- Consider temporarily disabling the donation form if immediate patching is not possible
Patch Information
The vendor has released patches addressing this vulnerability. The fixes are documented in the following resources:
- GitHub Pull Request #7679 - Contains the code changes addressing the vulnerability
- WordPress Trac Changeset 3234114 - BillingAddress.php fix
- WordPress Trac Changeset - DonationRepository - DonationRepository.php fix
- WordPress Trac Changeset - DonorRepository - DonorRepository.php fix
For additional technical details, refer to the Wordfence Vulnerability Details.
Workarounds
- Temporarily disable the GiveWP donation form until the plugin can be updated
- Implement Web Application Firewall (WAF) rules to block serialized PHP object patterns in POST data
- Use input validation at the web server level to reject requests containing suspicious serialized data
- Consider restricting access to donation forms via IP allowlisting if applicable to your use case
# Example WAF rule to block PHP serialization patterns (ModSecurity)
SecRule REQUEST_BODY "@rx O:\d+:\"[^\"]+\":\d+:" \
"id:100001,phase:2,deny,status:403,msg:'Potential PHP Object Injection detected'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
