CVE-2025-8620: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in givewp GiveWP – Donation Plugin and Fundraising Platform
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.6.0. This makes it possible for unauthenticated attackers to extract donor names, emails, and donor id.
AI Analysis
Technical Summary
CVE-2025-8620 is a medium-severity vulnerability affecting the GiveWP – Donation Plugin and Fundraising Platform for WordPress, specifically all versions up to and including 4.6.0. This vulnerability is classified under CWE-200, which pertains to the exposure of sensitive information to unauthorized actors. The flaw allows unauthenticated attackers to extract sensitive donor information such as names, email addresses, and donor IDs without requiring any authentication or user interaction. The vulnerability is remotely exploitable over the network (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The scope is unchanged (S:U), and the impact is limited to confidentiality (C:L), with no impact on integrity or availability. The CVSS v3.1 base score is 5.3, reflecting a medium severity level. This exposure of personally identifiable information (PII) can lead to privacy violations, potential phishing attacks, and reputational damage for organizations using the plugin. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that organizations must monitor for updates and consider interim mitigations. The vulnerability arises from insufficient access controls or improper data handling within the plugin's code, allowing public access to donor data endpoints or database queries.
Potential Impact
For European organizations, this vulnerability poses significant privacy risks, especially considering the stringent requirements of the EU General Data Protection Regulation (GDPR). Unauthorized disclosure of donor PII such as names and emails can lead to regulatory penalties, legal liabilities, and loss of donor trust. Nonprofits and fundraising platforms using GiveWP in Europe could face reputational harm and financial consequences if donor data is leaked. Additionally, exposed donor emails could be leveraged for targeted phishing or social engineering campaigns against donors or the organization itself. While the vulnerability does not affect system integrity or availability, the confidentiality breach alone is critical in the context of privacy laws and donor relationship management. Organizations relying on GiveWP for fundraising should be aware that this vulnerability could undermine their data protection obligations and donor confidence.
Mitigation Recommendations
Given the absence of an official patch at the time of this report, European organizations should implement immediate compensating controls. These include restricting access to the GiveWP plugin endpoints via web application firewalls (WAFs) or server-level access controls to limit exposure to trusted IP ranges or authenticated users only. Organizations should audit and monitor logs for unusual access patterns to donor data endpoints. Temporarily disabling or replacing the GiveWP plugin with alternative fundraising solutions that do not expose donor data is advisable until a secure version is released. Additionally, organizations should review their privacy policies and notify affected donors if exposure is confirmed, in compliance with GDPR breach notification requirements. Once a patch is available, prompt application is essential. Regular security assessments and plugin updates should be enforced to prevent recurrence.
Affected Countries
United Kingdom, Germany, France, Netherlands, Sweden, Belgium, Italy, Spain
CVE-2025-8620: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in givewp GiveWP – Donation Plugin and Fundraising Platform
Description
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.6.0. This makes it possible for unauthenticated attackers to extract donor names, emails, and donor id.
AI-Powered Analysis
Technical Analysis
CVE-2025-8620 is a medium-severity vulnerability affecting the GiveWP – Donation Plugin and Fundraising Platform for WordPress, specifically all versions up to and including 4.6.0. This vulnerability is classified under CWE-200, which pertains to the exposure of sensitive information to unauthorized actors. The flaw allows unauthenticated attackers to extract sensitive donor information such as names, email addresses, and donor IDs without requiring any authentication or user interaction. The vulnerability is remotely exploitable over the network (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The scope is unchanged (S:U), and the impact is limited to confidentiality (C:L), with no impact on integrity or availability. The CVSS v3.1 base score is 5.3, reflecting a medium severity level. This exposure of personally identifiable information (PII) can lead to privacy violations, potential phishing attacks, and reputational damage for organizations using the plugin. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that organizations must monitor for updates and consider interim mitigations. The vulnerability arises from insufficient access controls or improper data handling within the plugin's code, allowing public access to donor data endpoints or database queries.
Potential Impact
For European organizations, this vulnerability poses significant privacy risks, especially considering the stringent requirements of the EU General Data Protection Regulation (GDPR). Unauthorized disclosure of donor PII such as names and emails can lead to regulatory penalties, legal liabilities, and loss of donor trust. Nonprofits and fundraising platforms using GiveWP in Europe could face reputational harm and financial consequences if donor data is leaked. Additionally, exposed donor emails could be leveraged for targeted phishing or social engineering campaigns against donors or the organization itself. While the vulnerability does not affect system integrity or availability, the confidentiality breach alone is critical in the context of privacy laws and donor relationship management. Organizations relying on GiveWP for fundraising should be aware that this vulnerability could undermine their data protection obligations and donor confidence.
Mitigation Recommendations
Given the absence of an official patch at the time of this report, European organizations should implement immediate compensating controls. These include restricting access to the GiveWP plugin endpoints via web application firewalls (WAFs) or server-level access controls to limit exposure to trusted IP ranges or authenticated users only. Organizations should audit and monitor logs for unusual access patterns to donor data endpoints. Temporarily disabling or replacing the GiveWP plugin with alternative fundraising solutions that do not expose donor data is advisable until a secure version is released. Additionally, organizations should review their privacy policies and notify affected donors if exposure is confirmed, in compliance with GDPR breach notification requirements. Once a patch is available, prompt application is essential. Regular security assessments and plugin updates should be enforced to prevent recurrence.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-08-05T20:29:49.881Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6893213dad5a09ad00f0266e
Added to database: 8/6/2025, 9:32:45 AM
Last enriched: 8/6/2025, 9:47:42 AM
Last updated: 8/18/2025, 1:22:21 AM
Views: 16
Related Threats
CVE-2025-41242: Vulnerability in VMware Spring Framework
MediumCVE-2025-47206: CWE-787 in QNAP Systems Inc. File Station 5
HighCVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighCVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.