CVE-2025-22633 is a security vulnerability identified in the StellarWP Give – Divi Donation Modules plugin, a tool used to facilitate donation functionalities within WordPress sites utilizing the Divi theme. The vulnerability involves the insertion of sensitive information into files or directories that are accessible externally, allowing unauthorized retrieval of embedded sensitive data. This issue affects all versions up to and including 2.0.0. The root cause is improper handling and storage of sensitive data, which is written to locations accessible via the web server without adequate access controls or sanitization. Attackers can exploit this flaw to access confidential information such as donor details, payment information, or other sensitive content embedded by the plugin. Although no known exploits have been reported in the wild, the vulnerability is publicly disclosed and thus may attract attempts to exploit it. The lack of an official patch at the time of disclosure means organizations must rely on interim mitigations. The vulnerability does not require authentication, increasing its risk profile, and can be triggered remotely if the attacker can access the relevant file paths. This vulnerability is particularly concerning for non-profit organizations and charities that rely on the Give – Divi Donation Modules for processing donations, as exposure of sensitive donor information could lead to privacy violations, reputational damage, and regulatory penalties. The absence of a CVSS score necessitates a severity assessment based on impact and exploitability factors.

The primary impact of CVE-2025-22633 is the unauthorized disclosure of sensitive information, which compromises confidentiality. Organizations using the affected plugin risk exposure of donor personal data, payment details, and potentially other embedded sensitive content. This can lead to privacy breaches, loss of donor trust, and legal consequences under data protection regulations such as GDPR or CCPA. The vulnerability does not directly affect system integrity or availability but can indirectly cause operational disruptions if organizations need to take systems offline to remediate or investigate breaches. Since exploitation does not require authentication, the attack surface is broad, increasing the likelihood of exploitation attempts. The scope is limited to websites using the specific plugin version, but given the popularity of WordPress and Divi themes, a significant number of sites could be affected globally. The lack of known exploits in the wild reduces immediate risk but does not eliminate it, especially as threat actors may develop exploits following public disclosure.

Organizations should immediately audit their WordPress installations to identify the presence of the Give – Divi Donation Modules plugin and verify the version in use. Until an official patch is released, administrators should restrict access permissions to directories and files where the plugin stores sensitive data, using web server configuration rules (e.g., .htaccess for Apache or location blocks for Nginx) to deny external access. Implementing web application firewalls (WAFs) with custom rules to block suspicious requests targeting the plugin’s file paths can reduce exposure. Regularly monitor logs for unusual access patterns related to the plugin’s directories. Organizations should also consider temporarily disabling the plugin if feasible or replacing it with alternative donation management solutions that do not exhibit this vulnerability. Once a vendor patch is available, prioritize prompt application of updates. Additionally, review and enhance overall WordPress security posture, including limiting plugin installations to trusted sources, enforcing least privilege principles, and conducting regular security assessments.