CVE-2025-8620 is a vulnerability identified in the GiveWP Donation Plugin and Fundraising Platform for WordPress, present in all versions up to and including 4.6.0. The flaw allows unauthenticated attackers to retrieve sensitive donor information, specifically donor names, email addresses, and donor IDs, without requiring any authentication or user interaction. This vulnerability falls under CWE-200, which pertains to the exposure of sensitive information to unauthorized actors. The CVSS v3.1 base score is 5.3, reflecting a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The scope is unchanged (S:U), and the impact is limited to confidentiality (C:L), with no impact on integrity or availability. The vulnerability arises from improper access controls or insufficient data protection mechanisms within the plugin's code, allowing direct access to donor data endpoints or database queries without authentication checks. Although no public exploits have been reported, the ease of exploitation and the sensitivity of the exposed data make this a significant privacy concern. Organizations using GiveWP for fundraising should be aware that donor PII exposure can lead to reputational damage, legal liabilities under data protection regulations such as GDPR or CCPA, and potential phishing or social engineering attacks targeting donors. The vulnerability affects a widely used WordPress plugin, which is popular among nonprofits and fundraising organizations globally. The lack of an official patch at the time of reporting necessitates immediate mitigation efforts to prevent data leakage.

The primary impact of CVE-2025-8620 is the unauthorized disclosure of personally identifiable information (PII) of donors, including names, email addresses, and donor IDs. This exposure can lead to privacy violations and non-compliance with data protection laws such as GDPR, CCPA, and others, potentially resulting in regulatory fines and legal actions. Organizations may suffer reputational damage and loss of donor trust, which can adversely affect fundraising efforts. Additionally, exposed donor information can be leveraged by attackers for targeted phishing campaigns, social engineering, or identity theft. While the vulnerability does not affect system integrity or availability, the confidentiality breach alone is significant given the sensitivity of donor data. The ease of exploitation—requiring no authentication or user interaction—means that attackers can automate data harvesting at scale, increasing the risk of mass data leaks. Nonprofits and fundraising platforms relying on GiveWP are particularly at risk, and the impact is amplified in regions with strict privacy regulations.

Organizations using the GiveWP plugin should immediately verify their plugin version and upgrade to a patched version once available. Until an official patch is released, administrators should implement the following mitigations: 1) Restrict access to the GiveWP plugin endpoints by IP whitelisting or firewall rules to limit exposure to trusted networks only. 2) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting donor data endpoints. 3) Disable or restrict public access to donation data APIs or pages that may expose donor information. 4) Monitor server and application logs for unusual access patterns or repeated requests to sensitive endpoints. 5) Conduct a thorough audit of donor data exposure and notify affected donors if a breach is suspected, in compliance with applicable laws. 6) Consider implementing additional authentication or access control layers around sensitive data retrieval functions within the plugin if customization is possible. 7) Regularly back up data and maintain an incident response plan tailored to data exposure incidents. These steps will help reduce the attack surface and protect donor information until a secure plugin update is deployed.