Search

Find a vulnerability

Search criteria

    60 vulnerabilities found for GiveWP – Donation Plugin and Fundraising Platform by stellarwp

    CVE-2026-13704 (GCVE-0-2026-13704)

    Vulnerability from nvd – Published: 2026-07-02 05:35 – Updated: 2026-07-02 12:35
    VLAI
    Title
    GiveWP <= 4.16.1 - Authenticated (Give Worker+) Stored Cross-Site Scripting via Sequioa Form
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sequoia[introduction][image]' parameter in all versions up to, and including, 4.16.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Give Worker-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Chirita Catalin-Andrei (CC99IE)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13704",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-02T12:34:55.690582Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-02T12:35:05.389Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "4.16.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Chirita Catalin-Andrei (CC99IE)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027sequoia[introduction][image]\u0027 parameter in all versions up to, and including, 4.16.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Give Worker-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-02T05:35:14.362Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ee18552b-2814-4598-9b7b-7c919d6d644e?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.14.6/includes/admin/forms/class-metabox-form-data.php#L1180"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.14.6/includes/formatting.php#L758"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.14.6/src/Views/Form/Templates/Sequoia/Sequoia.php#L459"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.14.6/src/Views/Form/Templates/Sequoia/sections/introduction.php#L33"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/src/Views/Form/Templates/Sequoia/sections/introduction.php#L33"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/src/Views/Form/Templates/Sequoia/Sequoia.php#L459"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/includes/admin/forms/class-metabox-form-data.php#L1180"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/includes/formatting.php#L758"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-29T13:31:49.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-07-01T17:15:16.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP \u003c= 4.16.1 - Authenticated (Give Worker+) Stored Cross-Site Scripting via Sequioa Form"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-13704",
        "datePublished": "2026-07-02T05:35:14.362Z",
        "dateReserved": "2026-06-29T13:16:34.616Z",
        "dateUpdated": "2026-07-02T12:35:05.389Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-13246 (GCVE-0-2026-13246)

    Vulnerability from nvd – Published: 2026-07-01 03:43 – Updated: 2026-07-01 10:42
    VLAI
    Title
    GiveWP <= 4.16.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'block_id' Shortcode Attribute
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'block_id' (and other) shortcode attributes of the 'givewp_campaign_comments' shortcode in versions up to, and including, 4.16.0. This is due to insufficient input sanitization and output escaping on user supplied attributes in CampaignCommentsShortcode::parseAttributes() and BlockRenderController::render(), where the blockId value is interpolated directly into a single-quoted HTML attribute without esc_attr(). This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    AmonRa
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13246",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T10:33:12.231913Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T10:42:12.021Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "4.16.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "AmonRa"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027block_id\u0027 (and other) shortcode attributes of the \u0027givewp_campaign_comments\u0027 shortcode in versions up to, and including, 4.16.0. This is due to insufficient input sanitization and output escaping on user supplied attributes in CampaignCommentsShortcode::parseAttributes() and BlockRenderController::render(), where the blockId value is interpolated directly into a single-quoted HTML attribute without esc_attr(). This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T03:43:33.891Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/08f8f489-6b31-45d8-a122-bbaa283a2b10?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/Campaigns/Blocks/CampaignComments/Controller/BlockRenderController.php#L23"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/Campaigns/Shortcodes/CampaignCommentsShortcode.php#L78"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/Campaigns/Shortcodes/CampaignCommentsShortcode.php#L17"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/Campaigns/Actions/RegisterCampaignShortcodes.php#L30"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/Campaigns/Blocks/CampaignComments/render.php#L20"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/src/Campaigns/Blocks/CampaignComments/Controller/BlockRenderController.php#L23"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/src/Campaigns/Shortcodes/CampaignCommentsShortcode.php#L78"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/src/Campaigns/Shortcodes/CampaignCommentsShortcode.php#L17"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/src/Campaigns/Actions/RegisterCampaignShortcodes.php#L30"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/src/Campaigns/Blocks/CampaignComments/render.php#L20"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3590193%40give\u0026new=3590193%40give\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-24T18:18:16.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-06-30T14:48:48.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP \u003c= 4.16.0 - Authenticated (Author+) Stored Cross-Site Scripting via \u0027block_id\u0027 Shortcode Attribute"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-13246",
        "datePublished": "2026-07-01T03:43:33.891Z",
        "dateReserved": "2026-06-24T18:03:05.183Z",
        "dateUpdated": "2026-07-01T10:42:12.021Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11981 (GCVE-0-2026-11981)

    Vulnerability from nvd – Published: 2026-07-01 04:32 – Updated: 2026-07-01 10:42
    VLAI
    Title
    GiveWP <= 4.15.3 - Cross-Site Request Forgery
    Summary
    The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.15.3 This is due to missing nonce validation on the give_set_notification_status_handler() function. This makes it possible for unauthenticated attackers to disable donation email notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Credits
    javitoia
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11981",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T10:31:43.929037Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T10:42:11.276Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "4.15.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "javitoia"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.15.3 This is due to missing nonce validation on the give_set_notification_status_handler() function. This makes it possible for unauthenticated attackers to disable donation email notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T04:32:26.862Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/49954c72-df0d-46ec-a252-8af84dea41bf?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.15.3/includes/admin/emails/ajax-handler.php#L25"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.15.3/includes/admin/emails/ajax-handler.php#L24"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.15.3/includes/admin/emails/ajax-handler.php#L32"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/3.19.4/includes/admin/emails/ajax-handler.php#L25"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/3.19.4/includes/admin/emails/ajax-handler.php#L24"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/3.19.4/includes/admin/emails/ajax-handler.php#L32"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3573301/give/trunk/includes/admin/emails/ajax-handler.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fgive/tags/4.15.3\u0026new_path=%2Fgive/tags/4.15.4"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-11T13:53:43.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-06-30T16:29:51.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP \u003c= 4.15.3 - Cross-Site Request Forgery"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-11981",
        "datePublished": "2026-07-01T04:32:26.862Z",
        "dateReserved": "2026-06-11T13:38:17.450Z",
        "dateUpdated": "2026-07-01T10:42:11.276Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-13206 (GCVE-0-2025-13206)

    Vulnerability from nvd – Published: 2025-11-19 07:46 – Updated: 2026-04-08 17:10
    VLAI
    Title
    GiveWP - Donation Plugin and Fundraising Platform <= 4.13.0 - Unauthenticated Stored Cross-Site Scripting via 'name'
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 4.13.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Avatars must be enabled in the WordPress install in order to exploit the vulnerability.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Angus Girvan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-13206",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-19T18:01:52.436557Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-19T18:02:01.615Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "4.13.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Angus Girvan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018name\u2019 parameter in all versions up to, and including, 4.13.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Avatars must be enabled in the WordPress install in order to exploit the vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:10:03.740Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/95823720-e1dc-46c1-887b-ffd877b2fbe5?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.11.0/templates/shortcode-donor-wall.php#L59"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.11.0/includes/process-donation.php#L1230"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.11.0/includes/class-give-donor.php#L1135"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3398128/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-11-14T18:33:10.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-11-18T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP - Donation Plugin and Fundraising Platform \u003c= 4.13.0 - Unauthenticated Stored Cross-Site Scripting via \u0027name\u0027"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-13206",
        "datePublished": "2025-11-19T07:46:08.136Z",
        "dateReserved": "2025-11-14T18:17:22.262Z",
        "dateUpdated": "2026-04-08T17:10:03.740Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-11228 (GCVE-0-2025-11228)

    Vulnerability from nvd – Published: 2025-10-04 02:24 – Updated: 2026-04-08 17:28
    VLAI
    Title
    GiveWP – Donation Plugin and Fundraising Platform <= 4.10.0 - Missing Authorization to Unauthenticated Forms-Campaign Association
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `registerAssociateFormsWithCampaign` function in all versions up to, and including, 4.10.0. This makes it possible for unauthenticated attackers to associate any donation forms with any campaign.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Rafshanzani Suhada
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-11228",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-06T14:13:26.544107Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-06T14:16:26.035Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "4.10.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Rafshanzani Suhada"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `registerAssociateFormsWithCampaign` function in all versions up to, and including, 4.10.0. This makes it possible for unauthenticated attackers to associate any donation forms with any campaign."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:28:12.808Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ddf9a043-5eb6-46fd-88c2-0f5a04f73fc9?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/DonationForms/Routes/DonationFormsEntityRoute.php#L131"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3371948%40give\u0026new=3371948%40give\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-09-13T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2025-10-01T12:14:44.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-10-03T14:13:58.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP \u2013 Donation Plugin and Fundraising Platform \u003c= 4.10.0 - Missing Authorization to Unauthenticated Forms-Campaign Association"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-11228",
        "datePublished": "2025-10-04T02:24:37.546Z",
        "dateReserved": "2025-10-01T12:00:09.679Z",
        "dateUpdated": "2026-04-08T17:28:12.808Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-11227 (GCVE-0-2025-11227)

    Vulnerability from nvd – Published: 2025-10-04 02:24 – Updated: 2026-04-08 16:53
    VLAI
    Title
    GiveWP – Donation Plugin and Fundraising Platform <= 4.10.0 - Missing Authorization to Unauthenticated Forms and Campaigns Disclosure
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.10.0 via the 'registerGetForm', 'registerGetForms', 'registerGetCampaign' and 'registerGetCampaigns' functions due to a missing capability check. This makes it possible for unauthenticated attackers to extract data from private and draft donation forms, as well as archived campaigns.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Rafshanzani Suhada
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-11227",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-06T14:18:21.013863Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-06T14:18:28.992Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "4.10.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Rafshanzani Suhada"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.10.0 via the \u0027registerGetForm\u0027, \u0027registerGetForms\u0027, \u0027registerGetCampaign\u0027 and \u0027registerGetCampaigns\u0027 functions due to a missing capability check. This makes it possible for unauthenticated attackers to extract data from private and draft donation forms, as well as archived campaigns."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285 Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:53:24.277Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/54db1807-69ff-445c-9e02-9abce9fd3940?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/DonationForms/Routes/DonationFormsEntityRoute.php#L82"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/API/REST/V3/Routes/Campaigns/RegisterCampaignRoutes.php#L91"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/API/REST/V3/Routes/Campaigns/RegisterCampaignRoutes.php#L60"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/DonationForms/Routes/DonationFormsEntityRoute.php#L52"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3371948%40give\u0026new=3371948%40give\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-09-13T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2025-10-01T12:14:29.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-10-03T14:14:48.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP \u2013 Donation Plugin and Fundraising Platform \u003c= 4.10.0 - Missing Authorization to Unauthenticated Forms and Campaigns Disclosure"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-11227",
        "datePublished": "2025-10-04T02:24:35.306Z",
        "dateReserved": "2025-10-01T11:59:03.245Z",
        "dateUpdated": "2026-04-08T16:53:24.277Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-7221 (GCVE-0-2025-7221)

    Vulnerability from nvd – Published: 2025-08-21 05:28 – Updated: 2026-04-08 17:05
    VLAI
    Title
    GiveWP – Donation Plugin and Fundraising Platform <= 4.5.0 - Missing Authorization to Donation Update
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the give_update_payment_status() function in all versions up to, and including, 4.5.0. This makes it possible for authenticated attackers, with GiveWP Worker-level access and above, to update donations statuses. This ability is not present in the user interface.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Brian Sans-Souci
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-7221",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-21T15:03:29.731388Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-21T15:03:37.282Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "4.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Brian Sans-Souci"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the give_update_payment_status() function in all versions up to, and including, 4.5.0. This makes it possible for authenticated attackers, with GiveWP Worker-level access and above, to update donations statuses. This ability is not present in the user interface."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285 Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:05:07.638Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8766608e-df72-4b9d-a301-a50c64fadc9a?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/trunk/includes/payments/functions.php#L339"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3333090/give"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-07-07T17:40:23.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-08-20T16:38:25.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP \u2013 Donation Plugin and Fundraising Platform \u003c= 4.5.0 - Missing Authorization to Donation Update"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-7221",
        "datePublished": "2025-08-21T05:28:14.137Z",
        "dateReserved": "2025-07-07T14:36:20.359Z",
        "dateUpdated": "2026-04-08T17:05:07.638Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-8620 (GCVE-0-2025-8620)

    Vulnerability from nvd – Published: 2025-08-06 09:22 – Updated: 2026-04-08 16:59
    VLAI
    Title
    GiveWP – Donation Plugin and Fundraising Platform <= 4.6.0 - Unauthenticated Donor Data Exposure
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.6.0. This makes it possible for unauthenticated attackers to extract donor names, emails, and donor id. CVE-2025-47444 is a duplicate of this issue. CVE-2025-47444 is a duplicate of this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-8620",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-06T19:29:46.672198Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-06T19:29:56.568Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "4.6.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.6.0. This makes it possible for unauthenticated attackers to extract donor names, emails, and donor id. CVE-2025-47444 is a duplicate of this issue. CVE-2025-47444 is a duplicate of this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:59:32.063Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6dc7c5a6-513e-4aa8-9538-0ac6fb37c867?source=cve"
            },
            {
              "url": "https://www.linkedin.com/posts/givewp_givewp-support-handpicked-from-the-best-activity-7356319738290974720-Dt4U/?utm_source=share\u0026utm_medium=member_desktop\u0026rcm=ACoAABmBk5UBxPIzCp0cgsD1_1xKASTMphetnI4"
            },
            {
              "url": "https://github.com/impress-org/givewp/issues/8042"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3336253%40give\u0026new=3336253%40give\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-08-05T20:44:51.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-08-05T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP \u2013 Donation Plugin and Fundraising Platform \u003c= 4.6.0 - Unauthenticated Donor Data Exposure"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-8620",
        "datePublished": "2025-08-06T09:22:32.841Z",
        "dateReserved": "2025-08-05T20:29:49.881Z",
        "dateUpdated": "2026-04-08T16:59:32.063Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-7205 (GCVE-0-2025-7205)

    Vulnerability from nvd – Published: 2025-07-31 07:25 – Updated: 2026-04-08 16:46
    VLAI
    Title
    GiveWP – Donation Plugin and Fundraising Platform <= 4.5.0 - Authenticated (GiveWP worker+) Stored Cross-Site Scripting
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the donor notes parameter in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with GiveWP worker-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Additionally, they need to trick an administrator into visiting the legacy version of the site.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Brian Sans-Souci
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-7205",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-31T14:34:24.372778Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-31T14:34:47.892Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "4.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Brian Sans-Souci"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the donor notes parameter in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with GiveWP worker-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Additionally, they need to trick an administrator into visiting the legacy version of the site."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:46:50.644Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/39e501d8-88a0-4625-aeb0-aa33fc89a8d4?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/API/REST/V3/Routes/Donors/DonorNotesController.php#51"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3333090/give"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-07-07T17:40:22.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-07-30T19:18:44.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP \u2013 Donation Plugin and Fundraising Platform \u003c= 4.5.0 - Authenticated (GiveWP worker+) Stored Cross-Site Scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-7205",
        "datePublished": "2025-07-31T07:25:00.594Z",
        "dateReserved": "2025-07-07T12:05:07.346Z",
        "dateUpdated": "2026-04-08T16:46:50.644Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-4571 (GCVE-0-2025-4571)

    Vulnerability from nvd – Published: 2025-06-19 06:44 – Updated: 2026-04-08 17:06
    VLAI
    Title
    GiveWP – Donation Plugin and Fundraising Platform <= 4.3.0 - Missing Authorization To Authenticated (Contributor+) Campaign Data View And Modification
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized view and modification of data due to an insufficient capability check on the permissionsCheck functions in all versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to view or delete fundraising campaigns, view donors' data, modify campaign events, etc.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Brian Sans-Souci
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-4571",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-20T12:38:15.681373Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-20T13:11:45.801Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "4.3.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Brian Sans-Souci"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized view and modification of data due to an insufficient capability check on the permissionsCheck functions in all versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to view or delete fundraising campaigns, view donors\u0027 data, modify campaign events, etc."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:06:30.308Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f03b4ef-e877-430e-a440-3af0feca818c?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Campaigns/ListTable/Routes/DeleteCampaignListTable.php#L40"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/EventTickets/Routes/UpdateEvent.php#L36"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Campaigns/ListTable/Routes/GetCampaignsListTable.php#L95"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Donors/Endpoints/ListDonors.php#L31"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Donors/Endpoints/Endpoint.php#L57"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/API/Endpoints/Logs/GetLogs.php#L40"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/API/Endpoints/Logs/Endpoint.php#L26"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3305112/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-05-07T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2025-06-18T17:35:14.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP \u2013 Donation Plugin and Fundraising Platform \u003c= 4.3.0 - Missing Authorization To Authenticated (Contributor+) Campaign Data View And Modification"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-4571",
        "datePublished": "2025-06-19T06:44:48.532Z",
        "dateReserved": "2025-05-12T09:07:33.465Z",
        "dateUpdated": "2026-04-08T17:06:30.308Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-2331 (GCVE-0-2025-2331)

    Vulnerability from nvd – Published: 2025-03-22 11:18 – Updated: 2026-04-08 17:17
    VLAI
    Title
    GiveWP – Donation Plugin and Fundraising Platform <= 3.22.1 - Authenticated (Subscriber+) Sensitive Information Exposure
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.22.1 via a misconfigured capability check in the 'permissionsCheck' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including reports detailing donors and donation amounts.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Credits
    Brian Sans-Souci
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2331",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-24T19:19:54.570297Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-24T19:20:44.727Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "3.22.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Brian Sans-Souci"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.22.1 via a misconfigured capability check in the \u0027permissionsCheck\u0027 function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including reports detailing donors and donation amounts."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:17:05.360Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b4d9acfb-bb9d-4b00-b439-c7ccea751f8d?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/API/Endpoints/Reports/Endpoint.php?rev=3252319#L68"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/API/Endpoints/Reports/Endpoint.php?rev=3252319#L117"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/API/Endpoints/Reports/Endpoint.php?rev=3252319#L227"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3258797/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-03-21T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP \u2013 Donation Plugin and Fundraising Platform \u003c= 3.22.1 - Authenticated (Subscriber+) Sensitive Information Exposure"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-2331",
        "datePublished": "2025-03-22T11:18:41.524Z",
        "dateReserved": "2025-03-14T23:28:16.875Z",
        "dateUpdated": "2026-04-08T17:17:05.360Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-2025 (GCVE-0-2025-2025)

    Vulnerability from nvd – Published: 2025-03-15 11:13 – Updated: 2026-04-08 16:48
    VLAI
    Title
    Give <= 3.22.0 - Missing Authorization to Unauthenticated Arbitrary Earning Reports Disclosure via give_reports_earnings Function
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the give_reports_earnings() function in all versions up to, and including, 3.22.0. This makes it possible for unauthenticated attackers to disclose sensitive information included within earnings reports.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Michael Mazzolini
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2025",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-17T21:25:13.704415Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-17T21:27:44.640Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "3.22.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Michael Mazzolini"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the give_reports_earnings() function in all versions up to, and including, 3.22.0. This makes it possible for unauthenticated attackers to disclose sensitive information included within earnings reports."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:48:22.476Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/40595943-121d-4492-a0ed-f2de1bd99fda?source=cve"
            },
            {
              "url": "https://wordpress.org/plugins/give/#description"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/trunk/includes/admin/reports/reports.php#L304"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3252319/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-03-14T22:39:51.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Give \u003c= 3.22.0 - Missing Authorization to Unauthenticated Arbitrary Earning Reports Disclosure via give_reports_earnings Function"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-2025",
        "datePublished": "2025-03-15T11:13:27.773Z",
        "dateReserved": "2025-03-06T01:06:40.782Z",
        "dateUpdated": "2026-04-08T16:48:22.476Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-0912 (GCVE-0-2025-0912)

    Vulnerability from nvd – Published: 2025-03-04 03:37 – Updated: 2026-04-08 17:05
    VLAI
    Title
    GiveWP – Donation Plugin and Fundraising Platform <= 3.19.4 - Unauthenticated PHP Object Injection
    Summary
    The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Credits
    dream hard
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0912",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-04T16:26:11.247512Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-04T16:26:20.121Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "3.19.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "dream hard"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the \u0027card_address\u0027 parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:05:41.453Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8a8ae1b0-e9a0-4179-970b-dbcb0642547c?source=cve"
            },
            {
              "url": "https://github.com/impress-org/givewp/pull/7679/files"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3234114/give/trunk/src/Donors/Repositories/DonorRepository.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3234114/give/trunk/src/Donations/Properties/BillingAddress.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3234114/give/trunk/src/Donations/Repositories/DonationRepository.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3234114%40give\u0026new=3234114%40give\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-03-03T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP \u2013 Donation Plugin and Fundraising Platform \u003c= 3.19.4 - Unauthenticated PHP Object Injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-0912",
        "datePublished": "2025-03-04T03:37:59.369Z",
        "dateReserved": "2025-01-30T21:22:37.640Z",
        "dateUpdated": "2026-04-08T17:05:41.453Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-12877 (GCVE-0-2024-12877)

    Vulnerability from nvd – Published: 2025-01-11 07:21 – Updated: 2026-04-08 17:16
    VLAI
    Title
    GiveWP – Donation Plugin and Fundraising Platform <= 3.19.2 - Unauthenticated PHP Object Injection
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.2 via deserialization of untrusted input from the donation form like 'firstName'. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files on the server that makes remote code execution possible. Please note this was only partially patched in 3.19.3, a fully sufficient patch was not released until 3.19.4. However, another CVE was assigned by another CNA for version 3.19.3 so we will leave this as affecting 3.19.2 and before. We have recommended the vendor use JSON encoding to prevent any further deserialization vulnerabilities from being present.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Credits
    Viet Nguyen Quoc
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-12877",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-13T17:11:52.813320Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-13T17:12:05.279Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "3.19.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Viet Nguyen Quoc"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.2 via deserialization of untrusted input from the donation form like \u0027firstName\u0027. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files on the server that makes remote code execution possible. Please note this was only partially patched in 3.19.3, a fully sufficient patch was not released until 3.19.4. However, another CVE was assigned by another CNA for version 3.19.3 so we will leave this as affecting 3.19.2 and before. We have recommended the vendor use JSON encoding to prevent any further deserialization vulnerabilities from being present."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:16:22.820Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b2143edf-5423-4e79-8638-a5b98490d292?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3212723/give/tags/3.19.3/src/Helpers/Utils.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-01-10T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP \u2013 Donation Plugin and Fundraising Platform \u003c= 3.19.2 - Unauthenticated PHP Object Injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-12877",
        "datePublished": "2025-01-11T07:21:53.510Z",
        "dateReserved": "2024-12-20T21:49:42.876Z",
        "dateUpdated": "2026-04-08T17:16:22.820Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-9634 (GCVE-0-2024-9634)

    Vulnerability from nvd – Published: 2024-10-16 02:05 – Updated: 2026-04-08 17:17
    VLAI
    Title
    GiveWP – Donation Plugin and Fundraising Platform <= 3.16.3 - Unauthenticated PHP Object Injection to Remote Code Execution
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.3 via deserialization of untrusted input from the give_company_name parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    stellarwp GiveWP – Donation Plugin and Fundraising Platform Affected: 0 , ≤ 3.16.3 (semver)
    Create a notification for this product.
    webdevmattcrom givewp_donation_plugin_and_fundraising_platform Affected: 0 , ≤ 3.16.3 (custom)
        cpe:2.3:a:webdevmattcrom:givewp_donation_plugin_and_fundraising_platform:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    fabrice perez
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:webdevmattcrom:givewp_donation_plugin_and_fundraising_platform:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "givewp_donation_plugin_and_fundraising_platform",
                "vendor": "webdevmattcrom",
                "versions": [
                  {
                    "lessThanOrEqual": "3.16.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-9634",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-16T16:36:16.433305Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-16T16:36:55.440Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "3.16.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "fabrice perez"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.3 via deserialization of untrusted input from the give_company_name parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:17:52.783Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b8eb3aa9-fe60-48b6-aa24-7873dd68b47e?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/3.16.2/src/Donations/Repositories/DonationRepository.php?rev=3157829"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3166836/give/tags/3.16.4/includes/process-donation.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-10-15T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP \u2013 Donation Plugin and Fundraising Platform \u003c= 3.16.3 - Unauthenticated PHP Object Injection to Remote Code Execution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-9634",
        "datePublished": "2024-10-16T02:05:09.208Z",
        "dateReserved": "2024-10-08T15:59:21.224Z",
        "dateUpdated": "2026-04-08T17:17:52.783Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-13704 (GCVE-0-2026-13704)

    Vulnerability from cvelistv5 – Published: 2026-07-02 05:35 – Updated: 2026-07-02 12:35
    VLAI
    Title
    GiveWP <= 4.16.1 - Authenticated (Give Worker+) Stored Cross-Site Scripting via Sequioa Form
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sequoia[introduction][image]' parameter in all versions up to, and including, 4.16.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Give Worker-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Chirita Catalin-Andrei (CC99IE)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13704",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-02T12:34:55.690582Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-02T12:35:05.389Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "4.16.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Chirita Catalin-Andrei (CC99IE)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027sequoia[introduction][image]\u0027 parameter in all versions up to, and including, 4.16.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Give Worker-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-02T05:35:14.362Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ee18552b-2814-4598-9b7b-7c919d6d644e?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.14.6/includes/admin/forms/class-metabox-form-data.php#L1180"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.14.6/includes/formatting.php#L758"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.14.6/src/Views/Form/Templates/Sequoia/Sequoia.php#L459"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.14.6/src/Views/Form/Templates/Sequoia/sections/introduction.php#L33"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/src/Views/Form/Templates/Sequoia/sections/introduction.php#L33"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/src/Views/Form/Templates/Sequoia/Sequoia.php#L459"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/includes/admin/forms/class-metabox-form-data.php#L1180"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/includes/formatting.php#L758"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-29T13:31:49.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-07-01T17:15:16.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP \u003c= 4.16.1 - Authenticated (Give Worker+) Stored Cross-Site Scripting via Sequioa Form"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-13704",
        "datePublished": "2026-07-02T05:35:14.362Z",
        "dateReserved": "2026-06-29T13:16:34.616Z",
        "dateUpdated": "2026-07-02T12:35:05.389Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11981 (GCVE-0-2026-11981)

    Vulnerability from cvelistv5 – Published: 2026-07-01 04:32 – Updated: 2026-07-01 10:42
    VLAI
    Title
    GiveWP <= 4.15.3 - Cross-Site Request Forgery
    Summary
    The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.15.3 This is due to missing nonce validation on the give_set_notification_status_handler() function. This makes it possible for unauthenticated attackers to disable donation email notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Credits
    javitoia
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11981",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T10:31:43.929037Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T10:42:11.276Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "4.15.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "javitoia"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.15.3 This is due to missing nonce validation on the give_set_notification_status_handler() function. This makes it possible for unauthenticated attackers to disable donation email notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T04:32:26.862Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/49954c72-df0d-46ec-a252-8af84dea41bf?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.15.3/includes/admin/emails/ajax-handler.php#L25"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.15.3/includes/admin/emails/ajax-handler.php#L24"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.15.3/includes/admin/emails/ajax-handler.php#L32"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/3.19.4/includes/admin/emails/ajax-handler.php#L25"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/3.19.4/includes/admin/emails/ajax-handler.php#L24"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/3.19.4/includes/admin/emails/ajax-handler.php#L32"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3573301/give/trunk/includes/admin/emails/ajax-handler.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fgive/tags/4.15.3\u0026new_path=%2Fgive/tags/4.15.4"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-11T13:53:43.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-06-30T16:29:51.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP \u003c= 4.15.3 - Cross-Site Request Forgery"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-11981",
        "datePublished": "2026-07-01T04:32:26.862Z",
        "dateReserved": "2026-06-11T13:38:17.450Z",
        "dateUpdated": "2026-07-01T10:42:11.276Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-13246 (GCVE-0-2026-13246)

    Vulnerability from cvelistv5 – Published: 2026-07-01 03:43 – Updated: 2026-07-01 10:42
    VLAI
    Title
    GiveWP <= 4.16.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'block_id' Shortcode Attribute
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'block_id' (and other) shortcode attributes of the 'givewp_campaign_comments' shortcode in versions up to, and including, 4.16.0. This is due to insufficient input sanitization and output escaping on user supplied attributes in CampaignCommentsShortcode::parseAttributes() and BlockRenderController::render(), where the blockId value is interpolated directly into a single-quoted HTML attribute without esc_attr(). This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    AmonRa
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13246",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T10:33:12.231913Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T10:42:12.021Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "4.16.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "AmonRa"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027block_id\u0027 (and other) shortcode attributes of the \u0027givewp_campaign_comments\u0027 shortcode in versions up to, and including, 4.16.0. This is due to insufficient input sanitization and output escaping on user supplied attributes in CampaignCommentsShortcode::parseAttributes() and BlockRenderController::render(), where the blockId value is interpolated directly into a single-quoted HTML attribute without esc_attr(). This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T03:43:33.891Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/08f8f489-6b31-45d8-a122-bbaa283a2b10?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/Campaigns/Blocks/CampaignComments/Controller/BlockRenderController.php#L23"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/Campaigns/Shortcodes/CampaignCommentsShortcode.php#L78"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/Campaigns/Shortcodes/CampaignCommentsShortcode.php#L17"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/Campaigns/Actions/RegisterCampaignShortcodes.php#L30"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/Campaigns/Blocks/CampaignComments/render.php#L20"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/src/Campaigns/Blocks/CampaignComments/Controller/BlockRenderController.php#L23"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/src/Campaigns/Shortcodes/CampaignCommentsShortcode.php#L78"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/src/Campaigns/Shortcodes/CampaignCommentsShortcode.php#L17"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/src/Campaigns/Actions/RegisterCampaignShortcodes.php#L30"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/src/Campaigns/Blocks/CampaignComments/render.php#L20"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3590193%40give\u0026new=3590193%40give\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-24T18:18:16.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-06-30T14:48:48.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP \u003c= 4.16.0 - Authenticated (Author+) Stored Cross-Site Scripting via \u0027block_id\u0027 Shortcode Attribute"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-13246",
        "datePublished": "2026-07-01T03:43:33.891Z",
        "dateReserved": "2026-06-24T18:03:05.183Z",
        "dateUpdated": "2026-07-01T10:42:12.021Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-13206 (GCVE-0-2025-13206)

    Vulnerability from cvelistv5 – Published: 2025-11-19 07:46 – Updated: 2026-04-08 17:10
    VLAI
    Title
    GiveWP - Donation Plugin and Fundraising Platform <= 4.13.0 - Unauthenticated Stored Cross-Site Scripting via 'name'
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 4.13.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Avatars must be enabled in the WordPress install in order to exploit the vulnerability.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Angus Girvan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-13206",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-19T18:01:52.436557Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-19T18:02:01.615Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "4.13.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Angus Girvan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018name\u2019 parameter in all versions up to, and including, 4.13.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Avatars must be enabled in the WordPress install in order to exploit the vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:10:03.740Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/95823720-e1dc-46c1-887b-ffd877b2fbe5?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.11.0/templates/shortcode-donor-wall.php#L59"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.11.0/includes/process-donation.php#L1230"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.11.0/includes/class-give-donor.php#L1135"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3398128/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-11-14T18:33:10.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-11-18T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP - Donation Plugin and Fundraising Platform \u003c= 4.13.0 - Unauthenticated Stored Cross-Site Scripting via \u0027name\u0027"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-13206",
        "datePublished": "2025-11-19T07:46:08.136Z",
        "dateReserved": "2025-11-14T18:17:22.262Z",
        "dateUpdated": "2026-04-08T17:10:03.740Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-11228 (GCVE-0-2025-11228)

    Vulnerability from cvelistv5 – Published: 2025-10-04 02:24 – Updated: 2026-04-08 17:28
    VLAI
    Title
    GiveWP – Donation Plugin and Fundraising Platform <= 4.10.0 - Missing Authorization to Unauthenticated Forms-Campaign Association
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `registerAssociateFormsWithCampaign` function in all versions up to, and including, 4.10.0. This makes it possible for unauthenticated attackers to associate any donation forms with any campaign.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Rafshanzani Suhada
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-11228",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-06T14:13:26.544107Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-06T14:16:26.035Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "4.10.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Rafshanzani Suhada"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `registerAssociateFormsWithCampaign` function in all versions up to, and including, 4.10.0. This makes it possible for unauthenticated attackers to associate any donation forms with any campaign."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:28:12.808Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ddf9a043-5eb6-46fd-88c2-0f5a04f73fc9?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/DonationForms/Routes/DonationFormsEntityRoute.php#L131"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3371948%40give\u0026new=3371948%40give\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-09-13T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2025-10-01T12:14:44.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-10-03T14:13:58.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP \u2013 Donation Plugin and Fundraising Platform \u003c= 4.10.0 - Missing Authorization to Unauthenticated Forms-Campaign Association"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-11228",
        "datePublished": "2025-10-04T02:24:37.546Z",
        "dateReserved": "2025-10-01T12:00:09.679Z",
        "dateUpdated": "2026-04-08T17:28:12.808Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-11227 (GCVE-0-2025-11227)

    Vulnerability from cvelistv5 – Published: 2025-10-04 02:24 – Updated: 2026-04-08 16:53
    VLAI
    Title
    GiveWP – Donation Plugin and Fundraising Platform <= 4.10.0 - Missing Authorization to Unauthenticated Forms and Campaigns Disclosure
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.10.0 via the 'registerGetForm', 'registerGetForms', 'registerGetCampaign' and 'registerGetCampaigns' functions due to a missing capability check. This makes it possible for unauthenticated attackers to extract data from private and draft donation forms, as well as archived campaigns.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Rafshanzani Suhada
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-11227",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-06T14:18:21.013863Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-06T14:18:28.992Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "4.10.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Rafshanzani Suhada"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.10.0 via the \u0027registerGetForm\u0027, \u0027registerGetForms\u0027, \u0027registerGetCampaign\u0027 and \u0027registerGetCampaigns\u0027 functions due to a missing capability check. This makes it possible for unauthenticated attackers to extract data from private and draft donation forms, as well as archived campaigns."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285 Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:53:24.277Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/54db1807-69ff-445c-9e02-9abce9fd3940?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/DonationForms/Routes/DonationFormsEntityRoute.php#L82"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/API/REST/V3/Routes/Campaigns/RegisterCampaignRoutes.php#L91"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/API/REST/V3/Routes/Campaigns/RegisterCampaignRoutes.php#L60"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/DonationForms/Routes/DonationFormsEntityRoute.php#L52"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3371948%40give\u0026new=3371948%40give\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-09-13T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2025-10-01T12:14:29.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-10-03T14:14:48.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP \u2013 Donation Plugin and Fundraising Platform \u003c= 4.10.0 - Missing Authorization to Unauthenticated Forms and Campaigns Disclosure"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-11227",
        "datePublished": "2025-10-04T02:24:35.306Z",
        "dateReserved": "2025-10-01T11:59:03.245Z",
        "dateUpdated": "2026-04-08T16:53:24.277Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-7221 (GCVE-0-2025-7221)

    Vulnerability from cvelistv5 – Published: 2025-08-21 05:28 – Updated: 2026-04-08 17:05
    VLAI
    Title
    GiveWP – Donation Plugin and Fundraising Platform <= 4.5.0 - Missing Authorization to Donation Update
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the give_update_payment_status() function in all versions up to, and including, 4.5.0. This makes it possible for authenticated attackers, with GiveWP Worker-level access and above, to update donations statuses. This ability is not present in the user interface.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Brian Sans-Souci
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-7221",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-21T15:03:29.731388Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-21T15:03:37.282Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "4.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Brian Sans-Souci"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the give_update_payment_status() function in all versions up to, and including, 4.5.0. This makes it possible for authenticated attackers, with GiveWP Worker-level access and above, to update donations statuses. This ability is not present in the user interface."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285 Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:05:07.638Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8766608e-df72-4b9d-a301-a50c64fadc9a?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/trunk/includes/payments/functions.php#L339"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3333090/give"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-07-07T17:40:23.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-08-20T16:38:25.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP \u2013 Donation Plugin and Fundraising Platform \u003c= 4.5.0 - Missing Authorization to Donation Update"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-7221",
        "datePublished": "2025-08-21T05:28:14.137Z",
        "dateReserved": "2025-07-07T14:36:20.359Z",
        "dateUpdated": "2026-04-08T17:05:07.638Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-8620 (GCVE-0-2025-8620)

    Vulnerability from cvelistv5 – Published: 2025-08-06 09:22 – Updated: 2026-04-08 16:59
    VLAI
    Title
    GiveWP – Donation Plugin and Fundraising Platform <= 4.6.0 - Unauthenticated Donor Data Exposure
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.6.0. This makes it possible for unauthenticated attackers to extract donor names, emails, and donor id. CVE-2025-47444 is a duplicate of this issue. CVE-2025-47444 is a duplicate of this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-8620",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-06T19:29:46.672198Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-06T19:29:56.568Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "4.6.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.6.0. This makes it possible for unauthenticated attackers to extract donor names, emails, and donor id. CVE-2025-47444 is a duplicate of this issue. CVE-2025-47444 is a duplicate of this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:59:32.063Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6dc7c5a6-513e-4aa8-9538-0ac6fb37c867?source=cve"
            },
            {
              "url": "https://www.linkedin.com/posts/givewp_givewp-support-handpicked-from-the-best-activity-7356319738290974720-Dt4U/?utm_source=share\u0026utm_medium=member_desktop\u0026rcm=ACoAABmBk5UBxPIzCp0cgsD1_1xKASTMphetnI4"
            },
            {
              "url": "https://github.com/impress-org/givewp/issues/8042"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3336253%40give\u0026new=3336253%40give\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-08-05T20:44:51.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-08-05T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP \u2013 Donation Plugin and Fundraising Platform \u003c= 4.6.0 - Unauthenticated Donor Data Exposure"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-8620",
        "datePublished": "2025-08-06T09:22:32.841Z",
        "dateReserved": "2025-08-05T20:29:49.881Z",
        "dateUpdated": "2026-04-08T16:59:32.063Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-7205 (GCVE-0-2025-7205)

    Vulnerability from cvelistv5 – Published: 2025-07-31 07:25 – Updated: 2026-04-08 16:46
    VLAI
    Title
    GiveWP – Donation Plugin and Fundraising Platform <= 4.5.0 - Authenticated (GiveWP worker+) Stored Cross-Site Scripting
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the donor notes parameter in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with GiveWP worker-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Additionally, they need to trick an administrator into visiting the legacy version of the site.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Brian Sans-Souci
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-7205",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-31T14:34:24.372778Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-31T14:34:47.892Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "4.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Brian Sans-Souci"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the donor notes parameter in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with GiveWP worker-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Additionally, they need to trick an administrator into visiting the legacy version of the site."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:46:50.644Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/39e501d8-88a0-4625-aeb0-aa33fc89a8d4?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/API/REST/V3/Routes/Donors/DonorNotesController.php#51"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3333090/give"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-07-07T17:40:22.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-07-30T19:18:44.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP \u2013 Donation Plugin and Fundraising Platform \u003c= 4.5.0 - Authenticated (GiveWP worker+) Stored Cross-Site Scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-7205",
        "datePublished": "2025-07-31T07:25:00.594Z",
        "dateReserved": "2025-07-07T12:05:07.346Z",
        "dateUpdated": "2026-04-08T16:46:50.644Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-4571 (GCVE-0-2025-4571)

    Vulnerability from cvelistv5 – Published: 2025-06-19 06:44 – Updated: 2026-04-08 17:06
    VLAI
    Title
    GiveWP – Donation Plugin and Fundraising Platform <= 4.3.0 - Missing Authorization To Authenticated (Contributor+) Campaign Data View And Modification
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized view and modification of data due to an insufficient capability check on the permissionsCheck functions in all versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to view or delete fundraising campaigns, view donors' data, modify campaign events, etc.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Brian Sans-Souci
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-4571",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-20T12:38:15.681373Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-20T13:11:45.801Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "4.3.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Brian Sans-Souci"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized view and modification of data due to an insufficient capability check on the permissionsCheck functions in all versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to view or delete fundraising campaigns, view donors\u0027 data, modify campaign events, etc."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:06:30.308Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f03b4ef-e877-430e-a440-3af0feca818c?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Campaigns/ListTable/Routes/DeleteCampaignListTable.php#L40"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/EventTickets/Routes/UpdateEvent.php#L36"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Campaigns/ListTable/Routes/GetCampaignsListTable.php#L95"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Donors/Endpoints/ListDonors.php#L31"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Donors/Endpoints/Endpoint.php#L57"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/API/Endpoints/Logs/GetLogs.php#L40"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/API/Endpoints/Logs/Endpoint.php#L26"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3305112/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-05-07T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2025-06-18T17:35:14.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP \u2013 Donation Plugin and Fundraising Platform \u003c= 4.3.0 - Missing Authorization To Authenticated (Contributor+) Campaign Data View And Modification"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-4571",
        "datePublished": "2025-06-19T06:44:48.532Z",
        "dateReserved": "2025-05-12T09:07:33.465Z",
        "dateUpdated": "2026-04-08T17:06:30.308Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-2331 (GCVE-0-2025-2331)

    Vulnerability from cvelistv5 – Published: 2025-03-22 11:18 – Updated: 2026-04-08 17:17
    VLAI
    Title
    GiveWP – Donation Plugin and Fundraising Platform <= 3.22.1 - Authenticated (Subscriber+) Sensitive Information Exposure
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.22.1 via a misconfigured capability check in the 'permissionsCheck' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including reports detailing donors and donation amounts.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Credits
    Brian Sans-Souci
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2331",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-24T19:19:54.570297Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-24T19:20:44.727Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "3.22.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Brian Sans-Souci"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.22.1 via a misconfigured capability check in the \u0027permissionsCheck\u0027 function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including reports detailing donors and donation amounts."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:17:05.360Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b4d9acfb-bb9d-4b00-b439-c7ccea751f8d?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/API/Endpoints/Reports/Endpoint.php?rev=3252319#L68"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/API/Endpoints/Reports/Endpoint.php?rev=3252319#L117"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/API/Endpoints/Reports/Endpoint.php?rev=3252319#L227"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3258797/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-03-21T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP \u2013 Donation Plugin and Fundraising Platform \u003c= 3.22.1 - Authenticated (Subscriber+) Sensitive Information Exposure"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-2331",
        "datePublished": "2025-03-22T11:18:41.524Z",
        "dateReserved": "2025-03-14T23:28:16.875Z",
        "dateUpdated": "2026-04-08T17:17:05.360Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-2025 (GCVE-0-2025-2025)

    Vulnerability from cvelistv5 – Published: 2025-03-15 11:13 – Updated: 2026-04-08 16:48
    VLAI
    Title
    Give <= 3.22.0 - Missing Authorization to Unauthenticated Arbitrary Earning Reports Disclosure via give_reports_earnings Function
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the give_reports_earnings() function in all versions up to, and including, 3.22.0. This makes it possible for unauthenticated attackers to disclose sensitive information included within earnings reports.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Michael Mazzolini
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2025",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-17T21:25:13.704415Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-17T21:27:44.640Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "3.22.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Michael Mazzolini"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the give_reports_earnings() function in all versions up to, and including, 3.22.0. This makes it possible for unauthenticated attackers to disclose sensitive information included within earnings reports."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:48:22.476Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/40595943-121d-4492-a0ed-f2de1bd99fda?source=cve"
            },
            {
              "url": "https://wordpress.org/plugins/give/#description"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/trunk/includes/admin/reports/reports.php#L304"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3252319/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-03-14T22:39:51.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Give \u003c= 3.22.0 - Missing Authorization to Unauthenticated Arbitrary Earning Reports Disclosure via give_reports_earnings Function"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-2025",
        "datePublished": "2025-03-15T11:13:27.773Z",
        "dateReserved": "2025-03-06T01:06:40.782Z",
        "dateUpdated": "2026-04-08T16:48:22.476Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-0912 (GCVE-0-2025-0912)

    Vulnerability from cvelistv5 – Published: 2025-03-04 03:37 – Updated: 2026-04-08 17:05
    VLAI
    Title
    GiveWP – Donation Plugin and Fundraising Platform <= 3.19.4 - Unauthenticated PHP Object Injection
    Summary
    The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Credits
    dream hard
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0912",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-04T16:26:11.247512Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-04T16:26:20.121Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "3.19.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "dream hard"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the \u0027card_address\u0027 parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:05:41.453Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8a8ae1b0-e9a0-4179-970b-dbcb0642547c?source=cve"
            },
            {
              "url": "https://github.com/impress-org/givewp/pull/7679/files"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3234114/give/trunk/src/Donors/Repositories/DonorRepository.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3234114/give/trunk/src/Donations/Properties/BillingAddress.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3234114/give/trunk/src/Donations/Repositories/DonationRepository.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3234114%40give\u0026new=3234114%40give\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-03-03T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP \u2013 Donation Plugin and Fundraising Platform \u003c= 3.19.4 - Unauthenticated PHP Object Injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-0912",
        "datePublished": "2025-03-04T03:37:59.369Z",
        "dateReserved": "2025-01-30T21:22:37.640Z",
        "dateUpdated": "2026-04-08T17:05:41.453Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-12877 (GCVE-0-2024-12877)

    Vulnerability from cvelistv5 – Published: 2025-01-11 07:21 – Updated: 2026-04-08 17:16
    VLAI
    Title
    GiveWP – Donation Plugin and Fundraising Platform <= 3.19.2 - Unauthenticated PHP Object Injection
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.2 via deserialization of untrusted input from the donation form like 'firstName'. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files on the server that makes remote code execution possible. Please note this was only partially patched in 3.19.3, a fully sufficient patch was not released until 3.19.4. However, another CVE was assigned by another CNA for version 3.19.3 so we will leave this as affecting 3.19.2 and before. We have recommended the vendor use JSON encoding to prevent any further deserialization vulnerabilities from being present.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Credits
    Viet Nguyen Quoc
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-12877",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-13T17:11:52.813320Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-13T17:12:05.279Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "3.19.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Viet Nguyen Quoc"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.2 via deserialization of untrusted input from the donation form like \u0027firstName\u0027. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files on the server that makes remote code execution possible. Please note this was only partially patched in 3.19.3, a fully sufficient patch was not released until 3.19.4. However, another CVE was assigned by another CNA for version 3.19.3 so we will leave this as affecting 3.19.2 and before. We have recommended the vendor use JSON encoding to prevent any further deserialization vulnerabilities from being present."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:16:22.820Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b2143edf-5423-4e79-8638-a5b98490d292?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3212723/give/tags/3.19.3/src/Helpers/Utils.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-01-10T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP \u2013 Donation Plugin and Fundraising Platform \u003c= 3.19.2 - Unauthenticated PHP Object Injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-12877",
        "datePublished": "2025-01-11T07:21:53.510Z",
        "dateReserved": "2024-12-20T21:49:42.876Z",
        "dateUpdated": "2026-04-08T17:16:22.820Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-9634 (GCVE-0-2024-9634)

    Vulnerability from cvelistv5 – Published: 2024-10-16 02:05 – Updated: 2026-04-08 17:17
    VLAI
    Title
    GiveWP – Donation Plugin and Fundraising Platform <= 3.16.3 - Unauthenticated PHP Object Injection to Remote Code Execution
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.3 via deserialization of untrusted input from the give_company_name parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    stellarwp GiveWP – Donation Plugin and Fundraising Platform Affected: 0 , ≤ 3.16.3 (semver)
    Create a notification for this product.
    webdevmattcrom givewp_donation_plugin_and_fundraising_platform Affected: 0 , ≤ 3.16.3 (custom)
        cpe:2.3:a:webdevmattcrom:givewp_donation_plugin_and_fundraising_platform:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    fabrice perez
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:webdevmattcrom:givewp_donation_plugin_and_fundraising_platform:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "givewp_donation_plugin_and_fundraising_platform",
                "vendor": "webdevmattcrom",
                "versions": [
                  {
                    "lessThanOrEqual": "3.16.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-9634",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-16T16:36:16.433305Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-16T16:36:55.440Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "stellarwp",
              "versions": [
                {
                  "lessThanOrEqual": "3.16.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "fabrice perez"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.3 via deserialization of untrusted input from the give_company_name parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:17:52.783Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b8eb3aa9-fe60-48b6-aa24-7873dd68b47e?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/give/tags/3.16.2/src/Donations/Repositories/DonationRepository.php?rev=3157829"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3166836/give/tags/3.16.4/includes/process-donation.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-10-15T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "GiveWP \u2013 Donation Plugin and Fundraising Platform \u003c= 3.16.3 - Unauthenticated PHP Object Injection to Remote Code Execution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-9634",
        "datePublished": "2024-10-16T02:05:09.208Z",
        "dateReserved": "2024-10-08T15:59:21.224Z",
        "dateUpdated": "2026-04-08T17:17:52.783Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }