Give < 3.22.1 – Missing Authorization to Unauthenticated Arbitrary Earning Reports Disclosure via give_reports_earnings Function | CVE 2025-2025 | Plugin Vulnerabilities

Description

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the give_reports_earnings() function in all versions up to, and including, 3.22.0. This makes it possible for unauthenticated attackers to disclose sensitive information included within earnings reports.

Affects Plugins

Fixed in 3.22.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/40595943-121d-4492-a0ed-f2de1bd99fda

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

mikemyers

Verified

No

WPVDB ID

ebe88626-2127-4021-aa8e-f2f47e12ad4f

Timeline

Publicly Published

2025-03-14 (about 1 year ago)

Added

2025-03-14 (about 1 year ago)

Last Updated

2025-03-15 (about 1 year ago)

Other

Published

Title

Published

2023-06-03

Title

B2BKing < 4.6.20 - Subscriber+ Arbitrary Products Price Update

Published

2026-03-01

Title

VW Education Lite < 2.2.1 - Missing Authorization

Published

2025-04-01

Title

ShortPixel Adaptive Images < 3.10.1 - Missing Authorization

Published

2025-10-23

Title

NGINX Cache Optimizer <= 1.1 - Missing Authorization to Authenticated (Subscriber+) Dynamic Caching Exclusion Update

Published

2025-02-21

Title

Residential Address Detection < 2.5.5 - Unauthenticated Arbitrary Options Update