CVE-2025-47444
📋 TL;DR
GiveWP WordPress plugin versions before 4.6.1 expose sensitive personal information (PII) in sent data. This vulnerability allows attackers to retrieve embedded sensitive data from the plugin's functionality. All WordPress sites using vulnerable GiveWP versions are affected.
💻 Affected Systems
- GiveWP WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could harvest donor PII including names, email addresses, donation amounts, and potentially payment information, leading to identity theft, financial fraud, and regulatory compliance violations.
Likely Case
Unauthorized access to donor contact information and donation history, enabling phishing campaigns, spam, and privacy violations.
If Mitigated
With proper access controls and monitoring, exposure would be limited to authorized users only, though the underlying vulnerability remains.
🎯 Exploit Status
Exploitation requires understanding of the plugin's data flow but appears straightforward based on vulnerability description.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.6.1
Vendor Advisory: https://github.com/impress-org/givewp/issues/8042
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find GiveWP and click 'Update Now'. 4. Verify version shows 4.6.1 or higher.
🔧 Temporary Workarounds
Disable GiveWP Plugin
allTemporarily disable the vulnerable plugin until patching is possible
wp plugin deactivate give
Restrict Access
allImplement IP whitelisting or authentication requirements for GiveWP functionality
🧯 If You Can't Patch
- Implement web application firewall rules to block suspicious requests to GiveWP endpoints
- Enable detailed logging for all GiveWP-related requests and monitor for unusual access patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → GiveWP version numberCheck Version:
wp plugin list --name=give --field=versionVerify Fix Applied:
Verify GiveWP version is 4.6.1 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to GiveWP API endpoints
- Requests to donation-related endpoints from unexpected IPs
Network Indicators:
- Increased traffic to /wp-content/plugins/give/ endpoints
- Unusual data export requests
SIEM Query:
source="wordpress.log" AND (uri="/wp-content/plugins/give/*" OR plugin="givewp") AND status=200