Description
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the give_reports_earnings() function in all versions up to, and including, 3.22.0. This makes it possible for unauthenticated attackers to disclose sensitive information included within earnings reports.
Published: 2025-03-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Disclosure of Earnings Reports
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from a missing capability check in the give_reports_earnings() function of the GiveWP – Donation Plugin and Fundraising Platform. This weakness permits any unauthenticated visitor to request earnings reports and retrieve sensitive financial and donor information. The flaw is classified as Missing Authorization (CWE-862) and could compromise confidentiality of donor data and financial statements but does not affect ability to perform other operations or to modify data.

Affected Systems

WordPress sites that host the stellarwp:GiveWP – Donation Plugin and Fundraising Platform in any version up to 3.22.0 are affected. Administrators should verify the installed plugin version and apply the latest release to mitigate the risk. No other vendors or products are mentioned in the vulnerability report.

Risk and Exploitability

The CVSS score of 6.5 reflects a moderate impact, and with an EPSS score of < 1 % the likelihood of automated exploitation is low. The vulnerability is not listed in CISA’s KEV catalog. Attackers are inferred to be able to trigger the flaw by invoking the give_reports_earnings function or its corresponding admin endpoint without authentication. Successful execution would expose earnings data to the attacker.

Generated by OpenCVE AI on April 22, 2026 at 01:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the GiveWP plugin to the newest available release that includes the missing capability check.
  • If an immediate update is not possible, restrict access to the Earnings Reports section by adding an `add_submenu_page` `capability` check or by removing the page via plugin hooks so only authenticated administrators can view the reports.
  • Monitor web server logs for abnormal access patterns to the reports endpoint and block IPs that repeatedly request earnings data from unauthenticated sessions.

Generated by OpenCVE AI on April 22, 2026 at 01:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6623 The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the give_reports_earnings() function in all versions up to, and including, 3.22.0. This makes it possible for unauthenticated attackers to disclose sensitive information included within earnings reports.
History

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00062}

 epss

{'score': 0.00087}

Tue, 25 Mar 2025 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Givewp
Givewp givewp
CPEs cpe:2.3:a:givewp:givewp:*:*:*:*:*:wordpress:*:*
Vendors & Products Givewp
Givewp givewp

Mon, 17 Mar 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 15 Mar 2025 11:30:00 +0000

Type Values Removed Values Added
Description The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the give_reports_earnings() function in all versions up to, and including, 3.22.0. This makes it possible for unauthenticated attackers to disclose sensitive information included within earnings reports.
Title Give <= 3.22.0 - Missing Authorization to Unauthenticated Arbitrary Earning Reports Disclosure via give_reports_earnings Function
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Givewp Givewp
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:22.476Z

Reserved: 2025-03-06T01:06:40.782Z

Link: CVE-2025-2025

cve-icon Vulnrichment

Updated: 2025-03-17T21:25:14.899Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-15T12:15:12.207

Modified: 2025-03-25T19:48:15.730

Link: CVE-2025-2025

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T02:00:05Z

Weaknesses