CVE-2025-67467 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the GiveWP plugin developed by StellarWP, affecting all versions up to and including 4.13.1. GiveWP is a popular WordPress plugin used primarily for managing donations and fundraising campaigns. CSRF vulnerabilities occur when an attacker tricks an authenticated user into submitting a forged request to a web application, causing the application to perform unintended actions on behalf of the user without their consent. In this case, the vulnerability allows malicious actors to craft specially designed web requests that, when executed by an authenticated user (such as a site administrator or donor), can alter donation settings, initiate unauthorized transactions, or modify plugin configurations. The vulnerability does not require prior authentication by the attacker but does require the victim to be logged into the affected WordPress site. No public exploits have been reported yet, but the vulnerability is published and known, increasing the risk of future exploitation. The absence of a CVSS score indicates that the vulnerability is newly disclosed and pending further analysis. The lack of patch links suggests that a fix may not yet be available, emphasizing the need for proactive mitigation. The vulnerability primarily impacts the integrity of the affected system by enabling unauthorized actions, and potentially availability if critical configurations are altered. Since GiveWP is widely used by non-profit organizations and charities to manage donations, exploitation could lead to financial fraud, data manipulation, or disruption of fundraising activities.

For European organizations, especially non-profits and charities relying on GiveWP for donation management, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized changes in donation settings, fraudulent transactions, or disruption of fundraising campaigns, potentially causing financial losses and reputational damage. The integrity of donor data and transaction records could be compromised, undermining trust. Additionally, if administrative accounts are targeted, attackers could gain broader control over the WordPress site, leading to further exploitation such as data breaches or site defacement. The impact extends to availability if critical plugin configurations are altered or disabled. Given the widespread use of WordPress and GiveWP in Europe, particularly in countries with strong non-profit sectors, the threat could affect a large number of organizations. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future attacks, especially as the vulnerability is publicly disclosed.

Organizations should immediately monitor for updates from StellarWP and apply patches as soon as they become available. In the interim, implement anti-CSRF tokens in all forms and state-changing requests within the GiveWP plugin to prevent unauthorized requests. Restrict administrative access to trusted users and enforce strong authentication mechanisms, including multi-factor authentication (MFA). Review and limit user permissions to the minimum necessary to reduce the attack surface. Employ web application firewalls (WAFs) with rules designed to detect and block CSRF attack patterns. Educate users, especially administrators, about the risks of clicking on untrusted links or visiting suspicious websites while logged into administrative accounts. Regularly audit plugin configurations and logs for unusual activities. Consider isolating donation management functions on separate subdomains or environments to contain potential exploitation impact. Finally, maintain comprehensive backups to enable recovery in case of compromise.