CVE-2024-5941 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the GiveWP – Donation Plugin and Fundraising Platform for WordPress. The issue arises from the 'handle_request' function, which fails to perform adequate capability checks before processing requests. This flaw allows authenticated users with Subscriber-level permissions or higher to access and delete attachment files associated with the plugin. Since WordPress Subscriber roles typically have minimal privileges, this vulnerability significantly elevates the risk by enabling low-privilege users to perform unauthorized actions. The vulnerability affects all versions up to 3.14.1 inclusive. The attack vector is network-based and requires authentication but no user interaction, making exploitation feasible for any logged-in user with minimal privileges. The impact includes unauthorized reading of file paths (confidentiality impact) and deletion of attachment files (availability impact). The CVSS 3.1 score of 5.4 reflects a medium severity with low attack complexity and no user interaction required. No public exploits have been reported yet, but the vulnerability poses a risk to websites using GiveWP for donation management, potentially leading to data loss or exposure of sensitive file paths. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for interim mitigations.

The vulnerability allows authenticated users with minimal privileges to read sensitive file paths and delete attachment files, which can disrupt fundraising operations by causing data loss or exposing internal file structure information. This can undermine donor trust and potentially lead to further exploitation if attackers leverage the disclosed file paths for additional attacks. Organizations relying on GiveWP for managing donations and fundraising campaigns face risks of operational disruption and data integrity issues. The ability to delete attachments could result in loss of critical fundraising data or donor-related documents. Since the vulnerability requires only Subscriber-level access, it broadens the threat surface to include any registered user, increasing the likelihood of exploitation in multi-user environments. The medium severity rating indicates moderate impact, but the real-world consequences could be significant for non-technical users who may not detect unauthorized deletions promptly. Additionally, the lack of user interaction requirement facilitates automated exploitation by malicious insiders or compromised accounts.

Until an official patch is released, organizations should implement the following mitigations: 1) Restrict user registrations and carefully manage user roles to limit Subscriber-level access only to trusted users. 2) Employ WordPress security plugins or custom code to enforce stricter capability checks on the GiveWP plugin’s functions, particularly 'handle_request'. 3) Monitor file system changes and attachment deletions closely using file integrity monitoring tools to detect unauthorized deletions quickly. 4) Regularly back up attachment files and donation data to enable recovery in case of deletion. 5) Disable or restrict access to the GiveWP plugin’s attachment management features for low-privilege users via custom role modifications or access control plugins. 6) Stay informed about updates from the plugin vendor and apply patches promptly once available. 7) Conduct security audits and penetration tests focusing on user privilege escalation and file access controls within the WordPress environment hosting GiveWP.