impress-org GiveWP
Moderate fix1 remedy
cpe:2.3:a:impress:givewp:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 3.19.4
GiveWP Donations Widget PHP Object Injection Vulnerability Allowing Remote Code Execution
Vulnerability
Patched
A vulnerability allowing PHP object injection has been identified in the GiveWP Donations Widget plugin for WordPress, affecting all versions through 3.19.4. This vulnerability arises from the deserialization of untrusted input in the Donation Form, specifically through the 'card_address' parameter. As a result, unauthenticated attackers can inject a PHP object, and if a suitable property-oriented programming (POP) chain is present, this could lead to remote code execution.
Impact
Exploitation of this vulnerability allows for PHP object injection, which can be leveraged to execute arbitrary code on the server.
Reproduction
The vulnerability can be reproduced by sending a donation form with a serialized PHP object in the 'card_address' parameter. The GiveWP Donations Widget will deserialize the input, allowing the injected object to be processed by the application.
Remediation
Users are advised to update the GiveWP Donations Widget plugin to version 3.20.0 or later, where this vulnerability has been patched.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
1.0impact
7.5exploitability
9.3remediation
7.7relevance
0.0threat
4.8urgency
2.9incentive
10.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.