Description
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized view and modification of data due to an insufficient capability check on the permissionsCheck functions in all versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to view or delete fundraising campaigns, view donors' data, modify campaign events, etc.
Published: 2025-06-19
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated Unauthorized Access and Modification
Action: Patch Plugin
AI Analysis

Impact

A flaw in the GiveWP donation and fundraising plugin allows authenticated WordPress users with Contributor-level permissions or higher to view and delete campaign data, inspect donor information, and alter campaign events. The vulnerability stems from an insufficient capability check in the permissionsCheck functions, giving attackers the same level of access as administrators over certain API endpoints and admin listings. This leads to potential exposure of sensitive donor data, loss of campaign visibility, and interference with fundraising operations.

Affected Systems

All WordPress installations that have the GiveWP plugin version 4.3.0 or earlier deployed are affected. The flaw is present in every version up to and including 4.3.0 of the GiveWP – Donation Plugin and Fundraising Platform, affecting sites that rely on this plugin to run donation campaigns.

Risk and Exploitability

The CVSS score of 5.4 indicates a medium severity vulnerability, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The plugin is not listed in the CISA KEV catalog, which reduces immediate known threat urgency. Attackers must be authenticated as a Contributor or higher within the WordPress system; the likely attack vector involves using the plugin’s REST API endpoints or the admin UI to view or delete campaigns, donors, or event details. An attacker with these credentials can exploit the missing check to read or modify data that should be restricted to higher‑privilege roles.

Generated by OpenCVE AI on April 21, 2026 at 20:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GiveWP to the latest release that removes the insufficient capability check
  • Restrict Contributor and lower roles from permissions such as edit_give_campaigns, manage_give_donors, and edit_give_events using a role editor plugin
  • Enable logging and monitor for abnormal access patterns to campaign, donor, and event endpoints to detect unauthorized attempts

Generated by OpenCVE AI on April 21, 2026 at 20:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18683 The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized view and modification of data due to an insufficient capability check on the permissionsCheck functions in all versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to view or delete fundraising campaigns, view donors' data, modify campaign events, etc.
History

Thu, 10 Jul 2025 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Givewp
Givewp givewp
CPEs cpe:2.3:a:givewp:givewp:*:*:*:*:*:wordpress:*:*
Vendors & Products Givewp
Givewp givewp

Fri, 20 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Jun 2025 07:00:00 +0000

Type Values Removed Values Added
Description The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized view and modification of data due to an insufficient capability check on the permissionsCheck functions in all versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to view or delete fundraising campaigns, view donors' data, modify campaign events, etc.
Title GiveWP – Donation Plugin and Fundraising Platform <= 4.3.0 - Missing Authorization To Authenticated (Contributor+) Campaign Data View And Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Givewp Givewp
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:06:30.308Z

Reserved: 2025-05-12T09:07:33.465Z

Link: CVE-2025-4571

cve-icon Vulnrichment

Updated: 2025-06-20T12:38:16.726Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-19T07:15:27.383

Modified: 2025-07-10T00:04:02.257

Link: CVE-2025-4571

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:15:44Z

Weaknesses