Skip to main content

CVE-2025-8620: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in givewp GiveWP – Donation Plugin and Fundraising Platform

Medium
VulnerabilityCVE-2025-8620cvecve-2025-8620cwe-200
Published: Wed Aug 06 2025 (08/06/2025, 09:22:32 UTC)
Source: CVE Database V5
Vendor/Project: givewp
Product: GiveWP – Donation Plugin and Fundraising Platform

Description

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.6.0. This makes it possible for unauthenticated attackers to extract donor names, emails, and donor id.

AI-Powered Analysis

AILast updated: 08/06/2025, 09:47:42 UTC

Technical Analysis

CVE-2025-8620 is a medium-severity vulnerability affecting the GiveWP – Donation Plugin and Fundraising Platform for WordPress, specifically all versions up to and including 4.6.0. This vulnerability is classified under CWE-200, which pertains to the exposure of sensitive information to unauthorized actors. The flaw allows unauthenticated attackers to extract sensitive donor information such as names, email addresses, and donor IDs without requiring any authentication or user interaction. The vulnerability is remotely exploitable over the network (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The scope is unchanged (S:U), and the impact is limited to confidentiality (C:L), with no impact on integrity or availability. The CVSS v3.1 base score is 5.3, reflecting a medium severity level. This exposure of personally identifiable information (PII) can lead to privacy violations, potential phishing attacks, and reputational damage for organizations using the plugin. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that organizations must monitor for updates and consider interim mitigations. The vulnerability arises from insufficient access controls or improper data handling within the plugin's code, allowing public access to donor data endpoints or database queries.

Potential Impact

For European organizations, this vulnerability poses significant privacy risks, especially considering the stringent requirements of the EU General Data Protection Regulation (GDPR). Unauthorized disclosure of donor PII such as names and emails can lead to regulatory penalties, legal liabilities, and loss of donor trust. Nonprofits and fundraising platforms using GiveWP in Europe could face reputational harm and financial consequences if donor data is leaked. Additionally, exposed donor emails could be leveraged for targeted phishing or social engineering campaigns against donors or the organization itself. While the vulnerability does not affect system integrity or availability, the confidentiality breach alone is critical in the context of privacy laws and donor relationship management. Organizations relying on GiveWP for fundraising should be aware that this vulnerability could undermine their data protection obligations and donor confidence.

Mitigation Recommendations

Given the absence of an official patch at the time of this report, European organizations should implement immediate compensating controls. These include restricting access to the GiveWP plugin endpoints via web application firewalls (WAFs) or server-level access controls to limit exposure to trusted IP ranges or authenticated users only. Organizations should audit and monitor logs for unusual access patterns to donor data endpoints. Temporarily disabling or replacing the GiveWP plugin with alternative fundraising solutions that do not expose donor data is advisable until a secure version is released. Additionally, organizations should review their privacy policies and notify affected donors if exposure is confirmed, in compliance with GDPR breach notification requirements. Once a patch is available, prompt application is essential. Regular security assessments and plugin updates should be enforced to prevent recurrence.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Wordfence
Date Reserved
2025-08-05T20:29:49.881Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6893213dad5a09ad00f0266e

Added to database: 8/6/2025, 9:32:45 AM

Last enriched: 8/6/2025, 9:47:42 AM

Last updated: 8/18/2025, 1:22:21 AM

Views: 16

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats