GiveWP – Donation Plugin and Fundraising Platform < 3.22.2 – Authenticated (Subscriber+) Sensitive Information Exposure | CVE 2025-2331 | Plugin Vulnerabilities

Description

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.22.1 via a misconfigured capability check in the 'permissionsCheck' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including reports detailing donors and donation amounts.

Affects Plugins

Fixed in 3.22.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/b4d9acfb-bb9d-4b00-b439-c7ccea751f8d

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Brian Sans-Souci (liardom)

Verified

No

WPVDB ID

b331a81b-b7cc-4e0a-a088-26468a835cc5

Timeline

Publicly Published

2025-03-21 (about 1 year ago)

Added

2025-03-21 (about 1 year ago)

Last Updated

2025-03-22 (about 1 year ago)

Other

Published

Title

Published

2025-03-12

Title

WooCommerce Bookings < 2.2.5 - Unauthenticated Bookings Products Data and Metadata Disclosure via REST API

Published

2025-04-22

Title

WordPress Simple PayPal Shopping Cart < 5.1.3 - Unauthenticated Information Exposure via file_url Parameter

Published

2024-05-07

Title

Barcode Scanner with Inventory & Order Manager < 1.5.5 - Unauthenticated Information Exposure

Published

2023-07-17

Title

Royal Elementor Addons < 1.3.71 - Unauthenticated API Key Disclosure

Published

2024-04-05

Title

Subscribe To Comments Reloaded < 240119 - Unauthenticated Sensitive Information Exposure