CVE-2025-0912 is a critical deserialization vulnerability (CWE-502) found in the GiveWP Donation Plugin for WordPress, specifically in all versions up to and including 3.19.4. The vulnerability arises from unsafe deserialization of untrusted data submitted via the 'card_address' parameter in the Donation Form widget. This parameter is processed without sufficient validation or sanitization, allowing an attacker to inject crafted PHP objects. The presence of a Property Oriented Programming (POP) gadget chain within the plugin's codebase enables attackers to escalate this injection into remote code execution (RCE) on the server hosting the WordPress site. The vulnerability requires no authentication and no user interaction, making it highly exploitable remotely over the network. The CVSS 3.1 base score is 9.8, reflecting the critical impact on confidentiality, integrity, and availability. The vulnerability was publicly disclosed in March 2025, with no patches currently available at the time of this report. The GiveWP plugin is widely used by organizations for donation and fundraising purposes, making this vulnerability particularly dangerous as it can lead to full server compromise, data theft, defacement, or use of the server as a pivot point for further attacks.

The impact of CVE-2025-0912 is severe for organizations worldwide using the GiveWP plugin on WordPress sites. Successful exploitation allows unauthenticated remote attackers to execute arbitrary code on the web server, potentially leading to full system compromise. This can result in theft or manipulation of sensitive donor and financial data, disruption of fundraising activities, defacement of websites, and deployment of malware or ransomware. The breach of confidentiality and integrity can damage organizational reputation and lead to regulatory penalties, especially for nonprofits handling donor information. Additionally, compromised servers can be leveraged to launch further attacks within an organization's network or against third parties. The ease of exploitation and lack of required authentication significantly increase the risk of widespread attacks, particularly targeting organizations relying heavily on online donations and fundraising platforms.

1. Immediate application of patches or updates from GiveWP once available is critical. Monitor official GiveWP channels for security releases addressing this vulnerability. 2. In the absence of an official patch, implement Web Application Firewall (WAF) rules to block or sanitize requests containing suspicious serialized PHP objects or anomalous 'card_address' parameter inputs. 3. Disable or restrict the Donations Widget if it is not essential, or temporarily remove the plugin until a fix is released. 4. Employ strict input validation and sanitization on all user-supplied data, particularly parameters that are deserialized. 5. Monitor web server and application logs for unusual POST requests targeting the donation form or containing serialized data patterns. 6. Harden the WordPress environment by limiting PHP execution permissions and isolating the web server from critical backend systems. 7. Conduct regular security audits and penetration testing focusing on deserialization and injection vectors. 8. Educate site administrators about the risks and signs of exploitation to enable rapid incident response.