Description
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `registerAssociateFormsWithCampaign` function in all versions up to, and including, 4.10.0. This makes it possible for unauthenticated attackers to associate any donation forms with any campaign.
Published: 2025-10-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data modification through form‑campaign association
Action: Apply Patch
AI Analysis

Impact

The vulnerability in the GiveWP plugin allows an attacker to associate any donation form with any campaign without authentication. This missing capability check permits unauthorized manipulation of campaign data, impacting the integrity of those records. The flaw is a classic case of Missing Authorization (CWE‑862).

Affected Systems

All installations of GiveWP – Donation Plugin and Fundraising Platform for WordPress with versions 4.10.0 or earlier are impacted. The problem exists across the entire plugin codebase up to and including release 4.10.0, affecting any site that has not yet upgraded to a newer version.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate risk; the EPSS score is lower than 1%, implying a very low exploitation probability at present. The vulnerability is not listed in the CISA KEV catalog. Because the function can be called without authentication, the likely attack vector is a direct web request to the registerAssociateFormsWithCampaign endpoint, allowing an unauthenticated user to execute the association operation.

Generated by OpenCVE AI on April 22, 2026 at 00:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the GiveWP plugin to the latest available version that addresses the missing capability check.
  • If an upgrade cannot be performed immediately, restrict POST/GET access to the /registerAssociateFormsWithCampaign route using a web application firewall or server‑side rules so that only authenticated sessions can reach it.
  • Review and tighten WordPress role capabilities so that only privileged users (e.g., administrators or editors) have permissions to modify donation form and campaign relationships.

Generated by OpenCVE AI on April 22, 2026 at 00:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-32419 The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `registerAssociateFormsWithCampaign` function in all versions up to, and including, 4.10.0. This makes it possible for unauthenticated attackers to associate any donation forms with any campaign.
History

Wed, 26 Nov 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Givewp
Givewp givewp
CPEs cpe:2.3:a:givewp:givewp:*:*:*:*:*:wordpress:*:*
Vendors & Products Givewp
Givewp givewp

Mon, 06 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Givew
Givew donation Plugin And Fundraising Platform
Wordpress
Wordpress wordpress
Vendors & Products Givew
Givew donation Plugin And Fundraising Platform
Wordpress
Wordpress wordpress

Sat, 04 Oct 2025 02:30:00 +0000

Type Values Removed Values Added
Description The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `registerAssociateFormsWithCampaign` function in all versions up to, and including, 4.10.0. This makes it possible for unauthenticated attackers to associate any donation forms with any campaign.
Title GiveWP – Donation Plugin and Fundraising Platform <= 4.10.0 - Missing Authorization to Unauthenticated Forms-Campaign Association
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Givew Donation Plugin And Fundraising Platform
Givewp Givewp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:12.808Z

Reserved: 2025-10-01T12:00:09.679Z

Link: CVE-2025-11228

cve-icon Vulnrichment

Updated: 2025-10-06T14:13:31.787Z

cve-icon NVD

Status : Analyzed

Published: 2025-10-04T03:15:37.043

Modified: 2025-11-26T17:04:30.613

Link: CVE-2025-11228

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:00:04Z

Weaknesses