Description
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the give_update_payment_status() function in all versions up to, and including, 4.5.0. This makes it possible for authenticated attackers, with GiveWP Worker-level access and above, to update donations statuses. This ability is not present in the user interface.
Published: 2025-08-21
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of donation status
Action: Update plugin
AI Analysis

Impact

The vulnerability arises from a missing capability check in the give_update_payment_status() function, allowing any authenticated user with GiveWP Worker-level access or higher to change the status of a donation. This flaw does not appear in the user interface but can be exploited through the plugin's backend logic. The impact is that attackers can alter donation records to mark funds as collected, refunded, or otherwise modified, undermining financial integrity and potentially defrauding donors or administrators. The flaw is a classic missing authorization check (CWE‑285) and is likely exploited via the plugin’s API or backend interface by an authenticated user with Worker-level or higher capability.

Affected Systems

The issue affects the GiveWP – Donation Plugin and Fundraising Platform provided by StellarWP, versions up to and including 4.5.0, deployed on WordPress installations.

Risk and Exploitability

With a CVSS score of 4.3 the flaw is of moderate severity, and an EPSS score of less than 1% indicates a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated and possess at least Worker-level capability; exploitation can occur via the plugin's API or back‑end interfaces. No external input is required to trigger the flaw.

Generated by OpenCVE AI on April 21, 2026 at 19:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GiveWP to the latest version (4.5.1 or later) to restore proper capability checks.
  • Review and minimize Worker-level permissions, ensuring only trusted accounts retain the ability to manage donations.
  • If an immediate upgrade is not possible, temporarily revoke GiveWP Worker capability from all users except those who must manage donations or implement a custom patch that blocks status changes by unauthorized roles.

Generated by OpenCVE AI on April 21, 2026 at 19:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28780 The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the give_update_payment_status() function in all versions up to, and including, 4.5.0. This makes it possible for authenticated attackers, with GiveWP Worker-level access and above, to update donations statuses. This ability is not present in the user interface.
History

Wed, 03 Dec 2025 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Givewp
Givewp givewp
CPEs cpe:2.3:a:givewp:givewp:*:*:*:*:*:wordpress:*:*
Vendors & Products Givewp
Givewp givewp

Thu, 21 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Givew
Givew donation Plugin And Fundraising Platform
Wordpress
Wordpress wordpress
Vendors & Products Givew
Givew donation Plugin And Fundraising Platform
Wordpress
Wordpress wordpress

Thu, 21 Aug 2025 05:45:00 +0000

Type Values Removed Values Added
Description The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the give_update_payment_status() function in all versions up to, and including, 4.5.0. This makes it possible for authenticated attackers, with GiveWP Worker-level access and above, to update donations statuses. This ability is not present in the user interface.
Title GiveWP – Donation Plugin and Fundraising Platform <= 4.5.0 - Missing Authorization to Donation Update
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Givew Donation Plugin And Fundraising Platform
Givewp Givewp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:07.638Z

Reserved: 2025-07-07T14:36:20.359Z

Link: CVE-2025-7221

cve-icon Vulnrichment

Updated: 2025-08-21T15:03:34.107Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-21T06:15:34.143

Modified: 2025-12-03T13:30:05.103

Link: CVE-2025-7221

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:30:06Z

Weaknesses