CVE-2024-5940: CWE-862 Missing Authorization in webdevmattcrom GiveWP – Donation Plugin and Fundraising Platform
CVE-2024-5940 is a medium severity vulnerability in the GiveWP Donation Plugin and Fundraising Platform for WordPress, affecting all versions up to 3. 13. 0. The flaw arises from a missing authorization check in the 'handle_request' function, allowing unauthenticated attackers to modify event ticket settings if the Events beta feature is enabled. Exploitation requires no user interaction or authentication and can impact data integrity and availability. Although no known exploits are currently reported in the wild, the vulnerability poses a risk to websites using this popular donation plugin, especially those leveraging event ticketing features. Organizations relying on GiveWP for fundraising should prioritize patching or disabling the Events beta feature until a fix is available. The vulnerability has a CVSS score of 6. 5, reflecting moderate risk due to ease of exploitation and potential impact. Countries with significant WordPress usage and active fundraising platforms are most at risk.
AI Analysis
Technical Summary
CVE-2024-5940 is a vulnerability identified in the GiveWP – Donation Plugin and Fundraising Platform, a widely used WordPress plugin designed to facilitate donations and fundraising activities. The issue stems from a missing authorization check (CWE-862) in the 'handle_request' function, which is responsible for processing certain plugin requests. Specifically, when the Events beta feature is enabled, this flaw allows unauthenticated attackers to modify event ticket settings without any capability verification. This lack of proper access control means that attackers can alter event-related data, potentially disrupting fundraising events or manipulating ticket configurations. The vulnerability affects all versions up to and including 3.13.0. The CVSS 3.1 base score is 6.5, indicating a medium severity level, with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L, meaning the attack can be performed remotely over the network without privileges or user interaction, impacting integrity and availability but not confidentiality. No patches or exploit code are currently publicly available, and no known exploitation in the wild has been reported. However, the risk remains significant due to the plugin's popularity and the critical nature of fundraising events managed through it.
Potential Impact
The vulnerability allows unauthorized modification of event ticket settings, which can lead to data integrity issues such as incorrect ticket pricing, availability, or event details. This can disrupt fundraising campaigns, cause financial losses, and damage organizational reputation. Additionally, the availability of event ticketing features could be impaired, potentially leading to denial of service for legitimate users attempting to participate in events. Since the exploit requires no authentication or user interaction, attackers can easily target vulnerable sites remotely. Organizations relying on GiveWP for critical fundraising activities, especially those using the Events beta feature, face risks of operational disruption and loss of donor trust. The impact is primarily on the integrity and availability of event-related data, which can cascade into broader organizational challenges.
Mitigation Recommendations
Organizations should immediately verify if the Events beta feature is enabled in their GiveWP plugin installations. If enabled, it is recommended to disable this feature until an official patch or update is released by the vendor. Administrators should monitor for updates from webdevmattcrom and apply security patches promptly once available. Implementing Web Application Firewall (WAF) rules to restrict access to the vulnerable 'handle_request' endpoint can provide temporary protection. Additionally, organizations should audit event ticket settings regularly for unauthorized changes and maintain robust backup procedures to restore data if tampering occurs. Monitoring logs for unusual activity related to event ticket modifications can help detect exploitation attempts early. Finally, limiting exposure by restricting administrative access to trusted IPs and enforcing least privilege principles on WordPress user roles can reduce risk.
Affected Countries
United States, United Kingdom, Canada, Australia, Germany, France, India, Brazil, Netherlands, South Africa
CVE-2024-5940: CWE-862 Missing Authorization in webdevmattcrom GiveWP – Donation Plugin and Fundraising Platform
Description
CVE-2024-5940 is a medium severity vulnerability in the GiveWP Donation Plugin and Fundraising Platform for WordPress, affecting all versions up to 3. 13. 0. The flaw arises from a missing authorization check in the 'handle_request' function, allowing unauthenticated attackers to modify event ticket settings if the Events beta feature is enabled. Exploitation requires no user interaction or authentication and can impact data integrity and availability. Although no known exploits are currently reported in the wild, the vulnerability poses a risk to websites using this popular donation plugin, especially those leveraging event ticketing features. Organizations relying on GiveWP for fundraising should prioritize patching or disabling the Events beta feature until a fix is available. The vulnerability has a CVSS score of 6. 5, reflecting moderate risk due to ease of exploitation and potential impact. Countries with significant WordPress usage and active fundraising platforms are most at risk.
AI-Powered Analysis
Technical Analysis
CVE-2024-5940 is a vulnerability identified in the GiveWP – Donation Plugin and Fundraising Platform, a widely used WordPress plugin designed to facilitate donations and fundraising activities. The issue stems from a missing authorization check (CWE-862) in the 'handle_request' function, which is responsible for processing certain plugin requests. Specifically, when the Events beta feature is enabled, this flaw allows unauthenticated attackers to modify event ticket settings without any capability verification. This lack of proper access control means that attackers can alter event-related data, potentially disrupting fundraising events or manipulating ticket configurations. The vulnerability affects all versions up to and including 3.13.0. The CVSS 3.1 base score is 6.5, indicating a medium severity level, with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L, meaning the attack can be performed remotely over the network without privileges or user interaction, impacting integrity and availability but not confidentiality. No patches or exploit code are currently publicly available, and no known exploitation in the wild has been reported. However, the risk remains significant due to the plugin's popularity and the critical nature of fundraising events managed through it.
Potential Impact
The vulnerability allows unauthorized modification of event ticket settings, which can lead to data integrity issues such as incorrect ticket pricing, availability, or event details. This can disrupt fundraising campaigns, cause financial losses, and damage organizational reputation. Additionally, the availability of event ticketing features could be impaired, potentially leading to denial of service for legitimate users attempting to participate in events. Since the exploit requires no authentication or user interaction, attackers can easily target vulnerable sites remotely. Organizations relying on GiveWP for critical fundraising activities, especially those using the Events beta feature, face risks of operational disruption and loss of donor trust. The impact is primarily on the integrity and availability of event-related data, which can cascade into broader organizational challenges.
Mitigation Recommendations
Organizations should immediately verify if the Events beta feature is enabled in their GiveWP plugin installations. If enabled, it is recommended to disable this feature until an official patch or update is released by the vendor. Administrators should monitor for updates from webdevmattcrom and apply security patches promptly once available. Implementing Web Application Firewall (WAF) rules to restrict access to the vulnerable 'handle_request' endpoint can provide temporary protection. Additionally, organizations should audit event ticket settings regularly for unauthorized changes and maintain robust backup procedures to restore data if tampering occurs. Monitoring logs for unusual activity related to event ticket modifications can help detect exploitation attempts early. Finally, limiting exposure by restricting administrative access to trusted IPs and enforcing least privilege principles on WordPress user roles can reduce risk.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-06-12T22:08:52.345Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6bf8b7ef31ef0b55d250
Added to database: 2/25/2026, 9:39:04 PM
Last enriched: 2/26/2026, 2:56:35 AM
Last updated: 2/26/2026, 9:34:30 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-28138: Deserialization of Untrusted Data in Stylemix uListing
HighCVE-2026-28136: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in VeronaLabs WP SMS
HighCVE-2026-28132: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in villatheme WooCommerce Photo Reviews
HighCVE-2026-28131: Insertion of Sensitive Information Into Sent Data in WPVibes Elementor Addon Elements
HighCVE-2026-28083: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in UX-themes Flatsome
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.