CVE-2025-8620 is a medium-severity vulnerability affecting the GiveWP – Donation Plugin and Fundraising Platform for WordPress, specifically all versions up to and including 4.6.0. This vulnerability is classified under CWE-200, which pertains to the exposure of sensitive information to unauthorized actors. The flaw allows unauthenticated attackers to extract sensitive donor information such as names, email addresses, and donor IDs without requiring any authentication or user interaction. The vulnerability is remotely exploitable over the network (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The scope is unchanged (S:U), and the impact is limited to confidentiality (C:L), with no impact on integrity or availability. The CVSS v3.1 base score is 5.3, reflecting a medium severity level. This exposure of personally identifiable information (PII) can lead to privacy violations, potential phishing attacks, and reputational damage for organizations using the plugin. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that organizations must monitor for updates and consider interim mitigations. The vulnerability arises from insufficient access controls or improper data handling within the plugin's code, allowing public access to donor data endpoints or database queries.

For European organizations, this vulnerability poses significant privacy risks, especially considering the stringent requirements of the EU General Data Protection Regulation (GDPR). Unauthorized disclosure of donor PII such as names and emails can lead to regulatory penalties, legal liabilities, and loss of donor trust. Nonprofits and fundraising platforms using GiveWP in Europe could face reputational harm and financial consequences if donor data is leaked. Additionally, exposed donor emails could be leveraged for targeted phishing or social engineering campaigns against donors or the organization itself. While the vulnerability does not affect system integrity or availability, the confidentiality breach alone is critical in the context of privacy laws and donor relationship management. Organizations relying on GiveWP for fundraising should be aware that this vulnerability could undermine their data protection obligations and donor confidence.

Given the absence of an official patch at the time of this report, European organizations should implement immediate compensating controls. These include restricting access to the GiveWP plugin endpoints via web application firewalls (WAFs) or server-level access controls to limit exposure to trusted IP ranges or authenticated users only. Organizations should audit and monitor logs for unusual access patterns to donor data endpoints. Temporarily disabling or replacing the GiveWP plugin with alternative fundraising solutions that do not expose donor data is advisable until a secure version is released. Additionally, organizations should review their privacy policies and notify affected donors if exposure is confirmed, in compliance with GDPR breach notification requirements. Once a patch is available, prompt application is essential. Regular security assessments and plugin updates should be enforced to prevent recurrence.