A severe vulnerability has been identified in the GiveWP plugin, one of WordPress’s most widely used tools for online donations and fundraising. Tracked as CVE-2025-22777, the flaw has a CVSS score of 9.8, signaling its criticality.
With over 100,000 active installations, the GiveWP plugin powers countless donation platforms worldwide. As noted on their WordPress plugin page, “GiveWP is the highest rated, most downloaded, and best supported donation plugin for WordPress. Whether you need a simple donate button or a powerful donation platform optimized for online giving, GiveWP is right for you.”
However, the popularity of GiveWP has also made it a target for attackers, leading to the discovery of several vulnerabilities over the years.
The latest vulnerability, CVE-2025-22777, arises from unauthenticated PHP Object Injection, allowing attackers to bypass security mechanisms and potentially take over WordPress sites. This flaw is due to insecure storage of metadata in the database, which can be maliciously deserialized.
According to the report by security researcher Ananda Dhakal at Patchstack, the vulnerability exists in GiveWP versions 3.19.3 and below. Dhakal explains, “The whole serialized check was bypassable due to a weak regex check of the strings. An attacker could enter gibberish text in between the serialized payload that would make the regex check ineffective and store the malicious metadata in the DB that would eventually be deserialized.”
This isn’t the first time GiveWP has encountered such a vulnerability. The issue builds on a prior flaw, CVE-2024-5932, which involved the improper validation of form parameters like give-form-title and give_title. Although this was patched in version 3.14.2, researchers discovered that the regex-based serialized content validation could still be bypassed.
Patchstack Alliance member Edisc from Zalopay Security was able to exploit the vulnerability by injecting a special character sequence, such as %25F0%259F%2598%25BC, to bypass the weak regex validation.
The critical exploit scenario involves the company field in donation forms. Once a malicious payload is injected, it can be stored as metadata and later deserialized, enabling attackers to perform arbitrary file deletion, including the wp-config.php file. This deletion could result in full site takeover and remote code execution (RCE).
The GiveWP team has acted swiftly to address the vulnerability, releasing version 3.19.4 to fix the issue. Users are strongly encouraged to update to the latest version immediately to safeguard their websites.
