CVE-2025-22777

WordPress GiveWP Plugin <= 3.19.3 - PHP Object Injection vulnerability

CVSS 9.8 CRITICALEPSS 0.9%CWE-502

In short

The GiveWP WordPress plugin has a flaw that allows attackers to inject malicious code by sending specially crafted data. If exploited, an attacker could take control of the website or steal sensitive information.

Technical detail

A PHP object deserialization vulnerability (CWE-502) in GiveWP <= 3.19.3 permits unauthenticated object injection through untrusted serialized data. An attacker can craft malicious serialized objects to trigger arbitrary code execution or access sensitive functionality without requiring authentication or user interaction.

Summary generated and translated by AI from the official description.

Deserialization of Untrusted Data vulnerability in StellarWP GiveWP give allows Object Injection.This issue affects GiveWP: from n/a through <= 3.19.3.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

StellarWP · GiveWP

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://patchstack.com/database/Wordpress/Plugin/give/vulnerability/wordpress-givewp-plugin-3-19-3-php-object-injection-vulnerability?_s_id=cve https://securityonline.info/cve-2025-22777-cvss-9-8-critical-security-alert-for-givewp-plugin-with-100000-active-installations/