Summary: A severe vulnerability (CVE-2025-0912) in the GiveWP WordPress donation plugin poses significant risks to over 100,000 websites. The issue, linked to the handling of the βcard_addressβ parameter, allows unauthenticated attackers to exploit PHP Object Injection, potentially enabling remote code execution. Users are urged to upgrade to version 3.20.0, which fixes the flaw, to protect their sites.
Affected: GiveWP plugin for WordPress
Keypoints :
- Vulnerability CVE-2025-0912 scores 9.8 on the CVSS scale, indicating critical severity.
- Versions up to and including 3.19.4 of the plugin are vulnerable to PHP Object Injection.
- The flaw allows unauthorized attackers to execute arbitrary commands on the server, risking complete control over the affected website.
- Website administrators are advised to upgrade to GiveWP version 3.20.0 to mitigate the risk.