Critical Security Flaw in GiveWP Donation Plugin Exposes 100,000+ WordPress Sites to RCE Attacks

A severe vulnerability in the GiveWP Donation Plugin, tracked as CVE-2025-0912, has put over 100,000 WordPress websites at risk of unauthenticated remote code execution (RCE) attacks.

Vulnerability Details

This flaw, carrying a CVSS severity score of 9.8 (Critical), stems from improper handling of user-supplied data within the plugin’s donation form processing logic.

Attackers can exploit this weakness by injecting malicious PHP objects through the deserialization of untrusted input, leveraging a Property-Oriented Programming (POP) chain to gain full control of affected servers.

Affected Component: card_address Parameter

The vulnerability exists in how the plugin processes the card_address parameter within donation forms. Versions up to and including 3.19.4 fail to properly validate or sanitize serialized input, allowing PHP Object Injection (CWE-502).

Specifically, the give_process_donation_form() function blindly deserializes user input, enabling attackers to craft payloads that instantiate arbitrary PHP objects.

A critical factor enabling remote code execution (RCE) is the presence of exploitable POP chains in the plugin’s codebase. By chaining together destructors or wakeup functions, attackers can escalate object injection into system command execution, as noted in a Wordfence security report.

Exploit Impact

This flaw bypasses WordPress security nonces and requires no authentication, making it easily exploitable by external attackers. Successful attacks could result in:

• Arbitrary file deletion (including wp-config.php)
• Extraction of database credentials
• Backdoor installation via web shells

Given GiveWP’s use by nonprofits, religious organizations, and political campaigns, compromised sites face risks such as:

• Financial fraud
• Donor data theft
• Reputational damage

Attackers could also deface websites, redirect donations, or deploy cryptocurrency miners. The plugin’s integration with PayPal and Stripe raises concerns about potential secondary breaches of transactional systems.

Patching and Mitigation

Despite the availability of a patched version (3.20.0), over 30% of affected sites remain unpatched, according to security analysts at Defiant. The update fixes the flaw by enforcing strict input validation and eliminating unsafe deserialization.

Recommended Actions for Site Owners

To secure affected websites, administrators should:

• Update immediately to GiveWP 3.20.0 or later
• Audit server logs for suspicious POST requests to /wp-json/givewp/v3/donations
• Deploy a Web Application Firewall (WAF) to block serialized data in card_address parameters
• Monitor for unauthorized file changes or unexpected new admin users

For websites unable to patch immediately, temporary mitigations include:

• Disabling the donation widget
• Restricting form submissions to reCAPTCHA-verified users

Ongoing Threat Landscape

While no active exploits have been reported yet, the vulnerability’s ease of exploitation and high impact make it an attractive target for ransomware groups.

WordPress security teams urge all GiveWP users to:

• Subscribe to vulnerability disclosure feeds
• Implement atomic security measures, such as MalCare’s real-time exploit prevention

With WordPress powering over 43% of all websites, this incident underscores the critical need for rigorous third-party plugin audits and automated patch management, especially for nonprofit organizations relying on donation platforms.