CVE-2025-22777

CRITICAL

GiveWP <= 3.19.3 - PHP Object Injection via Untrusted Data Deserialization

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-22777. PoCs published by SevDMG, RandomRobbieBF.

AI-analyzed exploit summary This repository contains a Proof of Concept for CVE-2025-22777, targeting a PHP object injection vulnerability in the GiveWP WordPress plugin. The PoC includes serialization/deserialization tests and an exploit script to demonstrate the vulnerability.

Description

Deserialization of Untrusted Data vulnerability in StellarWP GiveWP give allows Object Injection.This issue affects GiveWP: from n/a through <= 3.19.3.

Exploits (2)

nomisec WORKING POC

by SevDMG · poc

https://github.com/SevDMG/CVE-2025-22777-GiveWP-Plugin-PHP-Object-Injection-Point-PoC-

View Code ZIP pw:eip

This repository contains a Proof of Concept for CVE-2025-22777, targeting a PHP object injection vulnerability in the GiveWP WordPress plugin. The PoC includes serialization/deserialization tests and an exploit script to demonstrate the vulnerability.

Classification

Working Poc 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: GiveWP WordPress Plugin

No auth needed

Prerequisites: Access to a vulnerable GiveWP WordPress plugin instance

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by RandomRobbieBF · poc

https://github.com/RandomRobbieBF/CVE-2025-22777

View Code ZIP pw:eip

This PoC demonstrates an unauthenticated PHP Object Injection vulnerability in GiveWP <= 3.19.3 via the 'company' parameter in donation forms. The exploit leverages deserialization to achieve arbitrary file deletion, potentially leading to remote code execution (RCE).

Classification

Working Poc 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: GiveWP – Donation Plugin and Fundraising Platform <= 3.19.3

No auth needed

Prerequisites: WordPress with GiveWP plugin <= 3.19.3 · Network access to the target

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Vdb Entry vdb-entry

https://patchstack.com/database/Wordpress/Plugin/give/vulnerability/wordpress-givewp-plugin-3-19-3-php-object-injection-vulnerability?_s_id=cve

Third Party Advisory

https://patchstack.com/database/wordpress/plugin/give/vulnerability/wordpress-givewp-plugin-3-19-3-php-object-injection-vulnerability?_s_id=cve

Permissions Required, Third Party Advisory

https://securityonline.info/cve-2025-22777-cvss-9-8-critical-security-alert-for-givewp-plugin-with-100000-active-installations/

Scores

CVSS v3 9.8

EPSS 0.0091

EPSS Percentile 55.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-502

Status published

Products (2)

givewp/givewp < 3.19.4

StellarWP/GiveWP < 3.19.3

Published Jan 13, 2025

Tracked Since Feb 18, 2026