Overview
The plugin (versions 3.19.3 and earlier) contains an unauthenticated PHP Object Injection vulnerability. This issue arose from the insecure storage of metadata in the database, which was subsequently unserialised. While this vulnerability was previously identified and resolved by GiveWP in version 3.14.2 and earlier, Edisc from Zalopay Security, a member of the Patchstack Alliance, discovered a bypass to the fix.
This led to the emergence of a new unauthenticated PHP Object Injection vulnerability, now tracked as CVE-2025-22777.
Affected Plugin: GiveWP: WP Charity Donation Plugin Version <= 3.19.3.
The GiveWP Plugin is widely trusted within the WordPress community to handle donations, fundraising, and payment processing for websites. It is actively used by thousands of websites worldwide to manage charitable giving.
Preventive Measures
To protect your WordPress website from similar vulnerabilities in the future, consider the following best practices:
- Regularly update all plugins, themes, and WordPress core files. Vulnerabilities are often discovered and patched in subsequent updates.
- Implement privilege access by ensuring that only authorised users have access to sensitive site functionality, such as donation management and payment processing.
- Use two-factor authentication (2FA) for logging in to the WordPress admin area to further secure access.
- Consider reviewing your plugins for security risks, particularly those that involve data serialisation and unserialisation, to avoid issues like PHP Object Injection.
Conclusion
The WP Backup & Migration plugin has been patched. It is advised to update to version 1.24.12, or a newer patched version. If you’re on one of our maintenance or support plans – fear not! Your plugin has already been updated.
For more information on WordPress security and steps to protect your site, feel free to reach out on our contact page or feel free to book a discovery call