Over 10,000 WordPress Sites Exposed by Donation Plugin Code Execution Vulnerability

A critical security flaw in the widely used GiveWP – Donation Plugin and Fundraising Platform has left over 10,000 WordPress websites vulnerable to remote code execution attacks since March 3, 2025.

Tracked as CVE-2025-0912, the vulnerability allows unauthenticated attackers to hijack sites by exploiting a deserialization flaw in versions 3.19.4 and earlier.

Vulnerability Overview

The vulnerability stems from improper sanitization of the card_address parameter in donation forms.

Attackers can inject malicious PHP objects into web servers, leveraging a property-oriented programming (POP) chain to execute arbitrary code and gain full control over affected sites.

With a CVSS score of 9.8 (Critical), the flaw enables threat actors to steal sensitive donor data, deploy backdoors, or redirect transactions without authentication.

Security researcher dream hard discovered the issue during routine code analysis, noting that deserialization of untrusted input bypassed all security checks in the plugin’s payment processing workflow.

“This vulnerability is a perfect storm: widespread usage, trivial exploitation, and high impact. Attackers could deface sites, siphon funds, or escalate privileges within minutes,” the researcher warned.

Impact and Exploitation Risks

GiveWP powers donation systems for nonprofits, religious organizations, and political campaigns worldwide, handling millions in transactions annually. Compromised sites risk:

1. Financial fraud through modified payment gateways
2. Data breaches exposing donor names, emails, and billing addresses
3. SEO poisoning via injected malicious redirects
4. Complete site takeover for hosting phishing content

Wordfence Intelligence confirmed active scanning for vulnerable sites beginning March 4, with at least three distinct exploit chains observed in the wild.

The plugin’s popularity among mission-critical entities heightens concerns about unpatched instances.

Mitigation and Response

GiveWP released version 3.20.0 on March 4, introducing validation checks and restricted data deserialization. Administrators must immediately:

• Update to the patched version
• Audit server logs for suspicious POST requests to /wp-json/give/v1/donations
• Revoke and regenerate API keys for payment processors

“Organizations using older versions should assume compromise,” urged Wordfence’s threat analysis team. “Conduct full malware scans and monitor donor accounts for irregularities”.

The cybersecurity community has criticized GiveWP’s initial response timeline, noting the patch arrived 48 hours after public disclosure.

Open-source maintainers emphasized the need for stricter code review processes, particularly in plugins handling financial data.

As of March 5, over 7,000 sites remain unpatched according to WordPress.org telemetry. With PoC exploits circulating on hacker forums, the window for proactive defense is rapidly closing.

Organizations relying on GiveWP must prioritize updates to prevent irreversible reputational and financial damage.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free