CVE-2025-8620
📋 TL;DR
The GiveWP WordPress plugin up to version 4.6.0 exposes donor information including names, emails, and donor IDs to unauthenticated attackers. This vulnerability affects all WordPress sites using vulnerable versions of the GiveWP donation plugin. Attackers can harvest sensitive donor data without any authentication.
💻 Affected Systems
- GiveWP - Donation Plugin and Fundraising Platform
📦 What is this software?
Givewp by Givewp
⚠️ Risk & Real-World Impact
Worst Case
Mass exfiltration of donor PII leading to identity theft, phishing campaigns targeting donors, regulatory fines for data breaches, and reputational damage to the organization.
Likely Case
Targeted harvesting of donor contact information for spam campaigns, credential stuffing attacks using exposed emails, and potential GDPR/CCPA compliance violations.
If Mitigated
Limited exposure if plugin is behind authentication or network controls, but still violates data privacy principles.
🎯 Exploit Status
Exploitation requires no authentication and appears to be straightforward based on the CWE-200 (Information Exposure) classification.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.6.1 or later
Vendor Advisory: https://github.com/impress-org/givewp/issues/8042
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find GiveWP plugin
4. Click 'Update Now' if update available
5. If no update appears, manually download version 4.6.1+ from WordPress.org
6. Deactivate old plugin, upload new version, activate
🔧 Temporary Workarounds
Temporary Plugin Deactivation
WordPressDisable the GiveWP plugin until patched to prevent information exposure
wp plugin deactivate give
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests to vulnerable endpoints
- Restrict access to WordPress admin and plugin directories using IP whitelisting
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for GiveWP version. If version is 4.6.0 or lower, you are vulnerable.Check Version:
wp plugin list --name=give --field=versionVerify Fix Applied:
After updating, verify GiveWP version shows 4.6.1 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual volume of requests to GiveWP API endpoints
- Requests to donor-related endpoints from unauthenticated users
Network Indicators:
- Traffic patterns showing data extraction from /wp-json/give/ endpoints
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-json/give/*" OR user_agent="*scanner*") AND http_status=200🔗 References
- https://github.com/impress-org/givewp/issues/8042
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3336253%40give&new=3336253%40give&sfp_email=&sfph_mail=
- https://www.linkedin.com/posts/givewp_givewp-support-handpicked-from-the-best-activity-7356319738290974720-Dt4U/?utm_source=share&utm_medium=member_desktop&rcm=ACoAABmBk5UBxPIzCp0cgsD1_1xKASTMphetnI4
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6dc7c5a6-513e-4aa8-9538-0ac6fb37c867?source=cve
