CVE-2025-7221 is a medium-severity vulnerability affecting the GiveWP – Donation Plugin and Fundraising Platform for WordPress, specifically all versions up to and including 4.5.0. The vulnerability stems from improper authorization (CWE-285) due to a missing capability check in the function give_update_payment_status(). This flaw allows authenticated users with GiveWP Worker-level access or higher to modify donation statuses without proper authorization. Notably, this capability is not exposed through the user interface, implying that exploitation requires direct interaction with the vulnerable function, likely via crafted requests or API calls. The vulnerability does not affect confidentiality or availability but impacts integrity by allowing unauthorized modification of donation data. The CVSS 3.1 score is 4.3 (medium), reflecting that the attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N), and the scope remains unchanged (S:U). No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was publicly disclosed in August 2025, with the initial reservation in July 2025. This issue could be leveraged by insiders or compromised accounts with Worker-level permissions to manipulate donation statuses, potentially impacting financial reporting, donor trust, and fundraising integrity.

For European organizations using GiveWP for fundraising and donation management, this vulnerability poses a risk to the integrity of donation data. Unauthorized modification of donation statuses could lead to inaccurate financial records, misrepresentation of fundraising outcomes, and potential compliance issues with financial regulations such as GDPR and anti-fraud laws. Nonprofits and charities relying on GiveWP could face reputational damage if donors discover manipulation or inconsistencies in donation records. While the vulnerability does not directly expose sensitive donor information or disrupt service availability, the ability to alter donation statuses undermines trust and could facilitate fraudulent activities, such as falsely marking donations as completed or refunded. Given the widespread use of WordPress and the popularity of GiveWP in European nonprofit sectors, the impact could be significant if exploited, especially in organizations with multiple users having Worker-level access or higher.

European organizations should immediately audit user roles and permissions within GiveWP, ensuring that only trusted personnel have Worker-level or higher access. Implement strict access controls and monitor logs for unusual activity related to donation status changes. Since no official patch is currently linked, organizations should consider applying custom capability checks or temporarily restricting access to the give_update_payment_status() function via WordPress hooks or custom code. Additionally, enable multi-factor authentication (MFA) for all users with elevated privileges to reduce the risk of account compromise. Regularly back up donation data and implement integrity checks to detect unauthorized modifications. Organizations should also stay alert for official patches or updates from GiveWP and apply them promptly once available. Finally, consider isolating the donation management system from other critical infrastructure to limit lateral movement in case of exploitation.