CVE-2025-4571
GiveWP – Donation Plugin and Fundraising Platform <= 4.3.0 - Missing Authorization To Authenticated (Contributor+) Campaign Data View And Modification
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.4EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
19 Jun 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized view and modification of data due to an insufficient capability check on the permissionsCheck functions in all versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to view or delete fundraising campaigns, view donors' data, modify campaign events, etc.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Affected products
stellarwp · GiveWP – Donation Plugin and Fundraising PlatformWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/API/Endpoints/Logs/Endpoint.php#L26https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/API/Endpoints/Logs/GetLogs.php#L40https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Campaigns/ListTable/Routes/DeleteCampaignListTable.php#L40https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Campaigns/ListTable/Routes/GetCampaignsListTable.php#L95https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Donors/Endpoints/Endpoint.php#L57https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Donors/Endpoints/ListDonors.php#L31https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/EventTickets/Routes/UpdateEvent.php#L36https://plugins.trac.wordpress.org/changeset/3305112/https://www.wordfence.com/threat-intel/vulnerabilities/id/8f03b4ef-e877-430e-a440-3af0feca818c?source=cve