Description
Cross-Site Request Forgery (CSRF) vulnerability in StellarWP GiveWP give allows Cross Site Request Forgery.This issue affects GiveWP: from n/a through <= 4.13.1.
Published: 2025-12-09
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery (CSRF) flaw, classified as CWE‑352, that allows an attacker to send unauthorized requests to the GiveWP plugin from a victim’s browser that holds a valid authentication token. Because the forgery relies only on the user’s session cookie, no direct access to the site or code execution is needed, but it can result in unintended actions performed by the plugin.

Affected Systems

All releases of the StellarWP GiveWP plugin for WordPress, from the first available version through 4.13.1, are affected by the CSRF flaw.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate risk, while the EPSS score of less than 1% reflects a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, and an attacker must lure a logged‑in user to a crafted link to exploit the flaw; no remote code execution or privileged escalation is required.

Generated by OpenCVE AI on April 30, 2026 at 04:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the GiveWP plugin to version 4.13.2 or later, which removes the CSRF vulnerability.
  • If an immediate upgrade cannot be performed, limit GiveWP access to administrator users or disable the plugin for non‑administrator accounts to reduce the attack surface.
  • As a temporary safeguard, ensure that any forms or endpoints handled by the plugin use a CSRF token (nonce) and that authentication cookies are marked HttpOnly and Secure.

Generated by OpenCVE AI on April 30, 2026 at 04:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Stellarwp
Stellarwp givewp
Wordpress
Wordpress wordpress
Vendors & Products Stellarwp
Stellarwp givewp
Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in StellarWP GiveWP give allows Cross Site Request Forgery.This issue affects GiveWP: from n/a through <= 4.13.1.
Title WordPress GiveWP plugin <= 4.13.1 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Stellarwp Givewp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:19.298Z

Reserved: 2025-12-08T16:00:53.489Z

Link: CVE-2025-67467

cve-icon Vulnrichment

Updated: 2025-12-09T15:39:51.803Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:22.767

Modified: 2026-04-27T17:16:41.930

Link: CVE-2025-67467

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:00:14Z

Weaknesses