CVSS Score
4.3
CWE
CWE-352: Cross-Site Request Forgery (CSRF)
Published
Dec 23, 2025
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.13.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Score
7.2
CWE
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Published
Nov 18, 2025
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 4.13.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Avatars must be enabled in the WordPress install in order to exploit the vulnerability.
CVSS Score
6.5
CWE
CWE-285: Improper Authorization
Published
Oct 3, 2025
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.10.0 via the 'registerGetForm', 'registerGetForms', 'registerGetCampaign' and 'registerGetCampaigns' functions due to a missing capability check. This makes it possible for unauthenticated attackers to extract data from private and draft donation forms, as well as archived campaigns.
CVSS Score
5.3
CWE
CWE-862: Missing Authorization
Published
Oct 3, 2025
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `registerAssociateFormsWithCampaign` function in all versions up to, and including, 4.10.0. This makes it possible for unauthenticated attackers to associate any donation forms with any campaign.
CVSS Score
4.3
CWE
CWE-285: Improper Authorization
Published
Aug 20, 2025
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the give_update_payment_status() function in all versions up to, and including, 4.5.0. This makes it possible for authenticated attackers, with GiveWP Worker-level access and above, to update donations statuses. This ability is not present in the user interface.
CVSS Score
5.3
CWE
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Published
Aug 5, 2025
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.6.0. This makes it possible for unauthenticated attackers to extract donor names, emails, and donor id. CVE-2025-47444 is a duplicate of this issue. CVE-2025-47444 is a duplicate of this issue.
CVSS Score
5.4
CWE
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Published
Jul 30, 2025
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the donor notes parameter in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with GiveWP worker-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Additionally, they need to trick an administrator into visiting the legacy version of the site.
CVSS Score
5.4
CWE
CWE-862: Missing Authorization
Published
Jun 18, 2025
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized view and modification of data due to an insufficient capability check on the permissionsCheck functions in all versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to view or delete fundraising campaigns, view donors' data, modify campaign events, etc.
CVSS Score
5.3
CWE
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Published
Mar 21, 2025
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.22.1 via a misconfigured capability check in the 'permissionsCheck' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including reports detailing donors and donation amounts.
CVSS Score
6.5
CWE
CWE-862: Missing Authorization
Published
Mar 14, 2025
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the give_reports_earnings() function in all versions up to, and including, 3.22.0. This makes it possible for unauthenticated attackers to disclose sensitive information included within earnings reports.
CVSS Score
9.8
CWE
CWE-502: Deserialization of Untrusted Data
Published
Mar 3, 2025
The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.
CVSS Score
9.8
CWE
CWE-502: Deserialization of Untrusted Data
Published
Jan 10, 2025
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.3 via deserialization of untrusted input from the donation form through the 'company' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files on the server that makes remote code execution possible. Please note this covers a bypass to the fix for CVE-2024-12877.