10,000+ WordPress sites exposed by donation plugin vulnerability

Home/Internet Security, Malware, Remote code execution, Security Advisory, Security Update, vulnerability, wordpress/10,000+ WordPress sites exposed by donation plugin vulnerability

10,000+ WordPress sites exposed by donation plugin vulnerability

A serious flaw in the popular GiveWP Donation Plugin has put over 10,000 WordPress sites at risk of remote code execution since March 3, 2025.

Known as CVE-2025-0912, this bug lets attackers take over sites without logging in by exploiting a deserialization issue in versions 3.19.4 and earlier.

All about the plugin vulnerability

The flaw comes from improper handling of the card_address field in donation forms.

Hackers can inject harmful PHP objects, using a technique called POP (Property-Oriented Programming) to run their own code and take full control of affected sites.

With a critical CVSS score of 9.8, this bug allows attackers to steal donor data, install backdoors, or hijack payments without needing to log in.

Researcher dream hard found the issue while reviewing the plugin’s code, warning that it’s easy to exploit and could lead to defaced sites, stolen funds, or full admin access within minutes.

GiveWP, used by nonprofits, religious groups, and political campaigns, handles millions in donations each year. A compromised site could face:

  • Payment fraud through altered gateways
  • Donor data leaks (names, emails, billing info)
  • SEO poisoning with malicious redirects
  • Full site takeover for phishing attacks

Wordfence detected active scans for vulnerable sites starting March 4, with at least three different attack methods seen. The plugin’s wide use by critical organizations makes timely patching essential.

Mitigation and Response

GiveWP released version 3.20.0 on March 4, fixing the flaw. Site admins should:

  • Update to version 3.20.0
  • Check logs for suspicious POST requests to /wp-json/give/v1/donations
  • Revoke and regenerate payment API keys

Wordfence warns older versions should assume compromise and recommends full malware scans and donor account monitoring.

Critics noted the patch came 48 hours after public disclosure, raising concerns about plugin security.

As of March 5, over 7,000 sites are still unpatched, while proof-of-concept exploits are already circulating. Immediate action is crucial to avoid major damage.

Post Views: 116
By | 2025-03-05T22:34:29+05:30 March 5th, 2025|Internet Security, Malware, Remote code execution, Security Advisory, Security Update, vulnerability, wordpress|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!