CVE-2025-2025 identifies a missing authorization vulnerability (CWE-862) in the GiveWP – Donation Plugin and Fundraising Platform for WordPress, specifically in the give_reports_earnings() function. This function lacks proper capability checks, allowing unauthenticated attackers to access sensitive earnings report data without any authentication or user interaction. The vulnerability affects all versions up to and including 3.22.0. The plugin is widely used by nonprofits and fundraising organizations to manage donations and generate financial reports. The flaw enables remote attackers to retrieve confidential financial information, potentially exposing donor data and fundraising amounts. The CVSS 3.1 base score is 6.5 (medium), with attack vector network (AV:N), low attack complexity (AC:L), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), no integrity (I:N), and no availability (A:N) impact. No public exploits are known yet, but the vulnerability could be leveraged to gather sensitive data for further attacks or reputational damage. The lack of a patch link indicates that a fix may not yet be available, emphasizing the need for immediate mitigation.

The primary impact of this vulnerability is unauthorized disclosure of sensitive financial data related to donations and fundraising earnings. Organizations using GiveWP could suffer confidentiality breaches, exposing donor information and fundraising amounts, which may lead to loss of donor trust, reputational damage, and potential regulatory compliance issues (e.g., GDPR, HIPAA if applicable). Although the vulnerability does not affect data integrity or availability, the exposure of sensitive data can facilitate targeted phishing, social engineering, or further attacks against the organization. Nonprofits and fundraising platforms are particularly sensitive to such breaches due to the nature of their data and reliance on public trust. The ease of exploitation and lack of authentication requirements increase the risk of widespread data leakage if unmitigated.

1. Immediately update the GiveWP plugin to a patched version once available from the vendor. Monitor official GiveWP channels for patch announcements. 2. Until a patch is released, restrict access to the WordPress admin and plugin endpoints using web application firewalls (WAFs) or IP whitelisting to limit exposure to trusted users only. 3. Implement strict capability checks at the web server or application firewall level to block unauthorized requests targeting the give_reports_earnings() function. 4. Monitor web server logs for suspicious access patterns or attempts to query earnings reports without authentication. 5. Conduct a thorough audit of donation and earnings data access logs to detect any potential unauthorized access. 6. Educate site administrators on the importance of plugin updates and security best practices. 7. Consider temporarily disabling the GiveWP plugin if the risk outweighs operational needs until a fix is applied. 8. Employ network segmentation and least privilege principles to reduce the attack surface of WordPress installations hosting GiveWP.