- Description
- The GiveWP β Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.10.0 via the 'registerGetForm', 'registerGetForms', 'registerGetCampaign' and 'registerGetCampaigns' functions due to a missing capability check. This makes it possible for unauthenticated attackers to extract data from private and draft donation forms, as well as archived campaigns.
- Source
- security@wordfence.com
- NVD status
- Analyzed
- Products
- givewp
CVSS 3.1
- Type
- Primary
- Base score
- 6.5
- Impact score
- 2.5
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
- Severity
- MEDIUM
- security@wordfence.com
- CWE-285
- Hype score
- Not currently trending
CVE-2025-11227 Information Exposure in GiveWP WordPress Plugin via Unauthenticated Data Retrieval https://t.co/ccdiaoR7Rx
@VulmonFeeds
4 Oct 2025
80 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
π¨ CVE-2025-11227: GiveWP Donation Plugin for WordPress lets anyone query REST API endpoints and view private or draft donation forms and campaigns, no login needed. Update to 4.10.1+ now! Full advisory β‘οΈ https://t.co/As0KVaqu1d #WordPress #infosec
@VolerionSec
4 Oct 2025
41 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:givewp:givewp:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "8DC55D80-8F3E-4BCF-A8E5-077D85206D39",
"versionEndExcluding": "4.10.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]