CVE-2025-11227
📋 TL;DR
The GiveWP WordPress plugin has an information disclosure vulnerability that allows unauthenticated attackers to access private donation forms and archived campaigns. All WordPress sites using GiveWP versions up to 4.10.0 are affected. This occurs because the plugin's REST API endpoints lack proper authorization checks.
💻 Affected Systems
- GiveWP - Donation Plugin and Fundraising Platform for WordPress
📦 What is this software?
Givewp by Givewp
⚠️ Risk & Real-World Impact
Worst Case
Attackers could extract sensitive donor information, campaign strategies, and internal fundraising data from private forms and archived campaigns, potentially leading to data breaches and reputational damage.
Likely Case
Unauthenticated users accessing private donation form details and archived campaign information, exposing internal fundraising operations and potentially donor data.
If Mitigated
With proper access controls, only authorized users can access private forms and archived campaigns, limiting exposure to authenticated administrators.
🎯 Exploit Status
Exploitation involves simple HTTP requests to vulnerable REST API endpoints without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.10.1 and later
Vendor Advisory: https://wordpress.org/plugins/give/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find GiveWP and click 'Update Now'
4. Verify version is 4.10.1 or higher
🔧 Temporary Workarounds
Disable vulnerable REST endpoints
allAdd code to functions.php to remove or restrict access to the vulnerable endpoints
add_filter('rest_endpoints', 'disable_givewp_vulnerable_endpoints');
function disable_givewp_vulnerable_endpoints($endpoints) {
unset($endpoints['/give/v3/forms']);
unset($endpoints['/give/v3/campaigns']);
return $endpoints;
}
🧯 If You Can't Patch
- Temporarily deactivate the GiveWP plugin until patching is possible
- Implement web application firewall rules to block requests to /give/v3/forms and /give/v3/campaigns endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for GiveWP version. If version is 4.10.0 or lower, you are vulnerable.Check Version:
wp plugin list --name=give --field=version (if WP-CLI installed)Verify Fix Applied:
After updating, verify GiveWP version is 4.10.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Multiple GET requests to /wp-json/give/v3/forms or /wp-json/give/v3/campaigns from unauthenticated users
- Access to private form data by non-admin users
Network Indicators:
- Unusual traffic patterns to GiveWP REST API endpoints
- Data extraction patterns from donation forms
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-json/give/v3/forms" OR uri_path="/wp-json/give/v3/campaigns") AND user="-"🔗 References
- https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/API/REST/V3/Routes/Campaigns/RegisterCampaignRoutes.php#L60
- https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/API/REST/V3/Routes/Campaigns/RegisterCampaignRoutes.php#L91
- https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/DonationForms/Routes/DonationFormsEntityRoute.php#L52
- https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/DonationForms/Routes/DonationFormsEntityRoute.php#L82
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3371948%40give&new=3371948%40give&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/54db1807-69ff-445c-9e02-9abce9fd3940?source=cve
