Description
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.22.1 via a misconfigured capability check in the 'permissionsCheck' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including reports detailing donors and donation amounts.
Published: 2025-03-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Update
AI Analysis

Impact

The vulnerability resides in a misconfigured capability check within the permissionsCheck function of the GiveWP Donation Plugin and Fundraising Platform. This flaw (CWE-200, Sensitive Information Exposure) allows authenticated users who have Subscriber-level roles or higher to access API endpoints and retrieve donor reports that include amounts and personal information. The impact is the exposure of confidential data, violating the confidentiality property and potentially leading to privacy breaches for donors.

Affected Systems

Affects all versions of the GiveWP plugin for WordPress up to and including 3.22.1, regardless of the WordPress core version. Users who run any vulnerable version of the plugin, whether on public or private sites, are at risk.

Risk and Exploitability

The CVSS score of 5.3 reflects moderate severity, while the EPSS score indicates a very low likelihood of exploitation (under 1 percent). The vulnerability requires legitimate credentials, so it is limited to authenticated subscribers or higher-level accounts. The attacker can exploit the flaw by calling the relevant API endpoints to pull sensitive donation data; the absence of a KEV listing further underlines the current low exploitation probability.

Generated by OpenCVE AI on April 21, 2026 at 21:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GiveWP to version 3.22.2 or newer, which removes the misconfigured permission check.
  • If an immediate upgrade is not possible, restrict the Subscriber role from the capability that allows report generation by removing the associated capability in WordPress role management or the plugin’s role configuration.
  • Audit the site’s role and capability assignments to ensure no unauthorized users have reporting access, especially if custom roles or plugins are used to extend permissions.

Generated by OpenCVE AI on April 21, 2026 at 21:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7280 The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.22.1 via a misconfigured capability check in the 'permissionsCheck' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including reports detailing donors and donation amounts.
History

Mon, 11 Aug 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Givewp
Givewp givewp
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:givewp:givewp:*:*:*:*:*:wordpress:*:*
Vendors & Products Givewp
Givewp givewp

Mon, 24 Mar 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 22 Mar 2025 11:30:00 +0000

Type Values Removed Values Added
Description The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.22.1 via a misconfigured capability check in the 'permissionsCheck' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including reports detailing donors and donation amounts.
Title GiveWP – Donation Plugin and Fundraising Platform <= 3.22.1 - Authenticated (Subscriber+) Sensitive Information Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Givewp Givewp
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:17:05.360Z

Reserved: 2025-03-14T23:28:16.875Z

Link: CVE-2025-2331

cve-icon Vulnrichment

Updated: 2025-03-24T19:20:05.730Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-22T12:15:26.833

Modified: 2025-08-11T14:17:42.643

Link: CVE-2025-2331

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:00:26Z

Weaknesses