GiveWP – Donation Plugin and Fundraising Platform < 4.3.1 – Missing Authorization To Authenticated (Contributor+) Campaign Data View And Modification | CVE 2025-4571 | Plugin Vulnerabilities

Description

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized view and modification of data due to an insufficient capability check on the permissionsCheck functions in all versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to view or delete fundraising campaigns, view donors' data, modify campaign events, etc.

Affects Plugins

Fixed in 4.3.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/8f03b4ef-e877-430e-a440-3af0feca818c

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Brian Sans-Souci (liardom)

Verified

No

WPVDB ID

f819ea85-bf28-4e8c-b72b-59741e7e9cee

Timeline

Publicly Published

2025-06-18 (about 10 months ago)

Added

2025-06-18 (about 10 months ago)

Last Updated

2025-06-19 (about 10 months ago)

Other

Published

Title

Published

2025-12-05

Title

MultiParcels Shipping For WooCommerce < 1.30.13 - Missing Authorization

Published

2025-01-23

Title

Sastra Essential Addons for Elementor – Free Elementor Addons, Widgets and Templates < 1.0.15 - Missing Authorization to Spexo Theme Install

Published

2025-03-11

Title

Block Spam By Math Reloaded <= 2.2.4 - Missing Authorization

Published

2025-12-15

Title

Watu Quiz < 3.4.5.1 - Missing Authorization

Published

2024-07-11

Title

Product Delivery Date for WooCommerce – Lite < 2.7.3 - Missing Authorization