CVE-2025-4571

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized view and modification of data due to an insufficient capability check on the permissionsCheck functions in all versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to view or delete fundraising campaigns, view donors' data, modify campaign events, etc.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/API/Endpoints/Logs/Endpoint.php#L26
https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/API/Endpoints/Logs/GetLogs.php#L40
https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Campaigns/ListTable/Routes/DeleteCampaignListTable.php#L40
https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Campaigns/ListTable/Routes/GetCampaignsListTable.php#L95
https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Donors/Endpoints/Endpoint.php#L57
https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Donors/Endpoints/ListDonors.php#L31
https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/EventTickets/Routes/UpdateEvent.php#L36
https://plugins.trac.wordpress.org/changeset/3305112/
https://www.wordfence.com/threat-intel/vulnerabilities/id/8f03b4ef-e877-430e-a440-3af0feca818c?source=cve

Configurations

No configuration.

History

23 Jun 2025, 20:16

Type	Values Removed	Values Added
Summary		(es) El complemento GiveWP – Donation Plugin and Fundraising Platform para WordPress es vulnerable a la visualización y modificación no autorizada de datos debido a una comprobación insuficiente de la capacidad de las funciones de comprobación de permisos en todas las versiones hasta la 4.3.0 incluida. Esto permite a atacantes autenticados, con acceso de colaborador o superior, ver o eliminar campañas de recaudación de fondos, consultar los datos de los donantes, modificar eventos de campaña, etc.

19 Jun 2025, 07:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-19 07:15

Updated : 2025-06-23 20:16

NVD link : CVE-2025-4571

Mitre link : CVE-2025-4571

CVE.ORG link : CVE-2025-4571

JSON object : View

Products Affected

No product.

CWE

CWE-862

Missing Authorization

5.4 /10