CVE-2025-11228 identifies a missing authorization vulnerability (CWE-862) in the GiveWP – Donation Plugin and Fundraising Platform for WordPress, affecting all versions up to and including 4.10.0. The vulnerability arises because the function registerAssociateFormsWithCampaign lacks proper capability checks, allowing unauthenticated attackers to associate any donation form with any campaign arbitrarily. This means an attacker can manipulate the linkage between donation forms and campaigns, potentially redirecting donations or corrupting campaign data. The vulnerability is remotely exploitable without requiring any privileges or user interaction, increasing its risk profile. Although the vulnerability does not expose confidential data or disrupt service availability, it compromises data integrity by enabling unauthorized modifications. No patches or official fixes are currently linked, and no known exploits have been observed in the wild. The CVSS v3.1 base score is 5.3, categorized as medium severity, reflecting the network attack vector, low attack complexity, no privileges required, and no user interaction needed, with an impact limited to integrity. The vulnerability affects all GiveWP plugin versions up to 4.10.0, widely used by nonprofits and fundraising organizations on WordPress platforms worldwide.

The primary impact of CVE-2025-11228 is the unauthorized modification of donation form associations within fundraising campaigns, which can lead to data integrity issues. Attackers could redirect donations to unintended campaigns, potentially causing financial loss or reputational damage to organizations relying on GiveWP for fundraising. This undermines donor trust and may disrupt fundraising operations. Since the vulnerability does not affect confidentiality or availability, the risk is confined to integrity and operational correctness. However, the ease of exploitation without authentication or user interaction means attackers can automate attacks at scale, potentially affecting many organizations. Nonprofits, charities, and other entities using GiveWP globally could face manipulation of their donation data, impacting fundraising effectiveness and donor relations. While no known exploits exist yet, the vulnerability's public disclosure increases the risk of future exploitation attempts.

Organizations using the GiveWP plugin should immediately verify their plugin version and upgrade to a patched version once available. In the absence of an official patch, administrators should implement strict access controls on the WordPress backend to limit exposure, including restricting REST API access and disabling unauthenticated requests that could invoke the vulnerable function. Monitoring logs for suspicious API calls related to donation form and campaign associations can help detect exploitation attempts. Employing Web Application Firewalls (WAFs) with custom rules to block unauthorized requests targeting the registerAssociateFormsWithCampaign function is recommended. Additionally, organizations should audit donation form and campaign associations regularly to identify unauthorized changes. Engaging with the GiveWP vendor for timely patches and security advisories is critical. Finally, educating site administrators about this vulnerability and enforcing the principle of least privilege for user roles can reduce risk.