CVE-2025-0912 — AI Deep Analysis Summary

🚨 **Essence**: GiveWP plugin suffers from **Unsafe Deserialization**. 📉 **Consequences**: Leads to **PHP Object Injection** and **Remote Code Execution (RCE)**. Attackers can take full control of the server!

🛡️ **Root Cause**: **CWE-502** (Deserialization of Untrusted Data). The plugin fails to validate input before passing it to PHP's deserialization functions, allowing malicious payloads to execute arbitrary code.

📦 **Affected**: **GiveWP – Donation Plugin** by StellarWP. 📅 **Version**: **3.19.4 and earlier**. If you are running an older version, you are at risk!

💀 **Attacker Power**: Full **RCE**. With CVSS 9.8 (Critical), hackers can read/write files, steal database data, and pivot to other systems. **No privileges needed** for initial access.

⚡ **Exploitation**: **Low Threshold**. CVSS vector shows **AV:N** (Network), **AC:L** (Low Complexity), **PR:N** (No Privileges), **UI:N** (No User Interaction). Anyone can exploit it remotely!

🔍 **Public Exploit**: **No PoC yet**. The `pocs` field is empty. However, the vulnerability is well-understood. Wild exploitation is likely imminent given the high severity.

🔎 **Self-Check**: Scan for **GiveWP plugin** version < 3.19.5. Check `DonorRepository.php` and `DonationRepository.php` for unvalidated `unserialize()` calls. Use WPScan or similar tools.

✅ **Fixed**: **Yes**. Patch released via **Changeset 3234114**. The fix is in the `trunk` source. Update immediately to the latest version to close the hole.

🚧 **No Patch?**: **Disable the plugin** immediately if you cannot update. Alternatively, implement strict **Input Validation** and **Output Encoding** on donation forms. Block direct access to repository files.

🔥 **Urgency**: **CRITICAL**. CVSS 9.8 is nearly max score. Patch **NOW**. This is a high-value target for automated bots scanning for vulnerable WordPress plugins.