GiveWP
Moderate fix1 remedy
cpe:2.3:a:givewp:give:*:*:*:*:wordpress:*:*, +1 more
Moderate fix1 remedy
- <= 4.10.0
GiveWP Donation Plugin and Fundraising Platform Improper Authorization Vulnerability Allowing Information Exposure
Vulnerability
Patched
A vulnerability allowing information exposure has been identified in the GiveWP Donation Plugin and Fundraising Platform for WordPress, affecting all versions through 4.10.0. The issue arises from missing capability checks in several functions, including 'registerGetForm', 'registerGetForms', 'registerGetCampaign', and 'registerGetCampaigns'. This vulnerability allows unauthenticated attackers to access data from private and draft donation forms, as well as archived campaigns.
Impact
Exploitation of this vulnerability could lead to unauthorized access to sensitive information, including data from private and draft donation forms and archived campaigns.
Reproduction
The vulnerability can be reproduced by sending a request to the WordPress REST API endpoints registered by the affected plugin version. The 'registerGetForms' and 'registerGetForm' functions can be used to access donation forms data, while 'registerGetCampaigns' and 'registerGetCampaign' can be used to access campaign data. No authentication is required to access these endpoints, allowing for unauthorized information extraction.
Remediation
Users are advised to update the GiveWP Donation Plugin and Fundraising Platform to version 4.10.1 or later.
Added: Oct 4, 2025, 3:24 AM
Updated: Oct 4, 2025, 3:24 AM
Vulnerability Rating
Custom Algorithm
spread
6.4impact
2.5exploitability
8.6remediation
7.7relevance
0.7threat
4.8urgency
2.9incentive
5.8Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.