CVE-2025-4571
📋 TL;DR
The GiveWP WordPress plugin has an authorization bypass vulnerability that allows authenticated users with Contributor-level permissions or higher to view and modify sensitive data. Attackers can access fundraising campaigns, donor information, and modify campaign events without proper authorization. This affects all WordPress sites using GiveWP version 4.3.0 or earlier.
💻 Affected Systems
- GiveWP - Donation Plugin and Fundraising Platform for WordPress
📦 What is this software?
Givewp by Givewp
⚠️ Risk & Real-World Impact
Worst Case
Malicious contributors could delete all fundraising campaigns, exfiltrate donor PII data, and disrupt fundraising operations completely.
Likely Case
Unauthorized viewing of donor data and campaign information, potentially leading to data privacy violations and reputational damage.
If Mitigated
Limited impact if proper access controls and monitoring are in place, with quick detection of unauthorized activities.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. Contributor role is commonly granted to untrusted users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.3.1 or later
Vendor Advisory: https://wordpress.org/plugins/give/
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find GiveWP plugin
4. Click 'Update Now' if available
5. If not available, download version 4.3.1+ from WordPress.org and manually update
🔧 Temporary Workarounds
Temporary Role Restriction
allTemporarily remove Contributor and Author roles from untrusted users until patching is complete.
Plugin Deactivation
allTemporarily deactivate GiveWP plugin if fundraising operations can be paused.
🧯 If You Can't Patch
- Implement strict user role management and audit all users with Contributor or higher permissions
- Enable detailed logging of all GiveWP plugin activities and set up alerts for suspicious actions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → GiveWP version. If version is 4.3.0 or lower, you are vulnerable.Check Version:
wp plugin list --name=give --field=versionVerify Fix Applied:
After updating, verify GiveWP version shows 4.3.1 or higher in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- Unauthorized API calls to GiveWP endpoints by Contributor users
- Unexpected campaign deletions or modifications
- Access to donor data by non-admin users
Network Indicators:
- Unusual API requests to /wp-json/give/ endpoints from non-admin users
SIEM Query:
source="wordpress.log" AND ("give/v2" OR "givewp") AND user_role="contributor" AND (action="delete" OR action="view" OR action="modify")🔗 References
- https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/API/Endpoints/Logs/Endpoint.php#L26
- https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/API/Endpoints/Logs/GetLogs.php#L40
- https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Campaigns/ListTable/Routes/DeleteCampaignListTable.php#L40
- https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Campaigns/ListTable/Routes/GetCampaignsListTable.php#L95
- https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Donors/Endpoints/Endpoint.php#L57
- https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Donors/Endpoints/ListDonors.php#L31
- https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/EventTickets/Routes/UpdateEvent.php#L36
- https://plugins.trac.wordpress.org/changeset/3305112/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8f03b4ef-e877-430e-a440-3af0feca818c?source=cve
