Description
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.10.0 via the 'registerGetForm', 'registerGetForms', 'registerGetCampaign' and 'registerGetCampaigns' functions due to a missing capability check. This makes it possible for unauthenticated attackers to extract data from private and draft donation forms, as well as archived campaigns.
Published: 2025-10-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Exposure
Action: Apply Patch
AI Analysis

Impact

The plugin exhibits a missing capability check on several REST API endpoints, allowing unauthenticated actors to call functions that would normally be restricted. This flaw enables the disclosure of sensitive data such as private and draft donation forms and archived campaigns, potentially exposing financial information, donor details, and campaign strategies. The weakness aligns with CWE‑285, representing an authorization bypass incident that compromises confidentiality on the affected site.

Affected Systems

GiveWP – Donation Plugin and Fundraising Platform for WordPress, any installation of versions 4.10.0 or earlier. The issue arises in the plugin’s REST API implementations within Company’s codebase; no other plugins or core WordPress components are directly implicated.

Risk and Exploitability

With a CVSS score of 6.5, the vulnerability presents medium severity. The EPSS score indicates a very low exploitation probability (<1%). It is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation yet. Knowledge of the affected endpoints can be found in the source references, and the missing authorization check provides an attack vector for unauthenticated attackers, requiring no special credentials or elevated privileges.

Generated by OpenCVE AI on April 22, 2026 at 13:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GiveWP to version 4.10.1 or later, which includes an authorization check on the vulnerable REST endpoints
  • If upgrading immediately is not possible, disable the exposed REST routes or restrict them to authenticated users via custom code or additional middleware
  • Review and harden any custom integrations or plugins that interact with the DonationFormsEntityRoute or RegisterCampaignRoutes endpoints to ensure they enforce proper capability checks before processing requests

Generated by OpenCVE AI on April 22, 2026 at 13:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-32424 The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.10.0 via the 'registerGetForm', 'registerGetForms', 'registerGetCampaign' and 'registerGetCampaigns' functions due to a missing capability check. This makes it possible for unauthenticated attackers to extract data from private and draft donation forms, as well as archived campaigns.
History

Wed, 26 Nov 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Givewp
Givewp givewp
CPEs cpe:2.3:a:givewp:givewp:*:*:*:*:*:wordpress:*:*
Vendors & Products Givewp
Givewp givewp

Mon, 06 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Givew
Givew donation Plugin And Fundraising Platform
Wordpress
Wordpress wordpress
Vendors & Products Givew
Givew donation Plugin And Fundraising Platform
Wordpress
Wordpress wordpress

Sat, 04 Oct 2025 02:30:00 +0000

Type Values Removed Values Added
Description The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.10.0 via the 'registerGetForm', 'registerGetForms', 'registerGetCampaign' and 'registerGetCampaigns' functions due to a missing capability check. This makes it possible for unauthenticated attackers to extract data from private and draft donation forms, as well as archived campaigns.
Title GiveWP – Donation Plugin and Fundraising Platform <= 4.10.0 - Missing Authorization to Unauthenticated Forms and Campaigns Disclosure
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Givew Donation Plugin And Fundraising Platform
Givewp Givewp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:53:24.277Z

Reserved: 2025-10-01T11:59:03.245Z

Link: CVE-2025-11227

cve-icon Vulnrichment

Updated: 2025-10-06T14:18:25.333Z

cve-icon NVD

Status : Analyzed

Published: 2025-10-04T03:15:36.873

Modified: 2025-11-26T17:03:10.513

Link: CVE-2025-11227

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:15:17Z

Weaknesses