{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11228", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-01T12:00:09.679Z", "datePublished": "2025-10-04T02:24:37.546Z", "dateUpdated": "2026-04-08T17:28:12.808Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:12.808Z"}, "affected": [{"vendor": "stellarwp", "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.10.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `registerAssociateFormsWithCampaign` function in all versions up to, and including, 4.10.0. This makes it possible for unauthenticated attackers to associate any donation forms with any campaign."}], "title": "GiveWP \u2013 Donation Plugin and Fundraising Platform <= 4.10.0 - Missing Authorization to Unauthenticated Forms-Campaign Association", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ddf9a043-5eb6-46fd-88c2-0f5a04f73fc9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/DonationForms/Routes/DonationFormsEntityRoute.php#L131"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3371948%40give&new=3371948%40give&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "timeline": [{"time": "2025-09-13T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-10-01T12:14:44.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-03T14:13:58.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-06T14:13:26.544107Z", "id": "CVE-2025-11228", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-06T14:16:26.035Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11228", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-06T14:13:26.544107Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-06T14:13:31.787Z"}}], "cna": {"title": "GiveWP \u2013 Donation Plugin and Fundraising Platform <= 4.10.0 - Missing Authorization to Unauthenticated Forms-Campaign Association", "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "stellarwp", "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.10.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-13T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-10-01T12:14:44.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-03T14:13:58.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ddf9a043-5eb6-46fd-88c2-0f5a04f73fc9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/DonationForms/Routes/DonationFormsEntityRoute.php#L131"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3371948%40give&new=3371948%40give&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `registerAssociateFormsWithCampaign` function in all versions up to, and including, 4.10.0. This makes it possible for unauthenticated attackers to associate any donation forms with any campaign."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:12.808Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11228", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:28:12.808Z", "dateReserved": "2025-10-01T12:00:09.679Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-04T02:24:37.546Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:givewp:givewp:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "8DC55D80-8F3E-4BCF-A8E5-077D85206D39", "versionEndExcluding": "4.10.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `registerAssociateFormsWithCampaign` function in all versions up to, and including, 4.10.0. This makes it possible for unauthenticated attackers to associate any donation forms with any campaign."}], "id": "CVE-2025-11228", "lastModified": "2025-11-26T17:04:30.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-10-04T03:15:37.043", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/DonationForms/Routes/DonationFormsEntityRoute.php#L131"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3371948%40give&new=3371948%40give&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ddf9a043-5eb6-46fd-88c2-0f5a04f73fc9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:45:54.333602+00:00", "value": {"mitigation_remediation": ["Upgrade the GiveWP plugin to the latest available version that addresses the missing capability check.", "If an upgrade cannot be performed immediately, restrict POST/GET access to the /registerAssociateFormsWithCampaign route using a web application firewall or server\u2011side rules so that only authenticated sessions can reach it.", "Review and tighten WordPress role capabilities so that only privileged users (e.g., administrators or editors) have permissions to modify donation form and campaign relationships."], "summary": {"action": "Apply Patch", "impact": "Unauthorized data modification through form\u2011campaign association"}, "threat_synthesis": {"affected_systems": "All installations of GiveWP \u2013 Donation Plugin and Fundraising Platform for WordPress with versions 4.10.0 or earlier are impacted. The problem exists across the entire plugin codebase up to and including release 4.10.0, affecting any site that has not yet upgraded to a newer version.", "description_and_impact": "The vulnerability in the GiveWP plugin allows an attacker to associate any donation form with any campaign without authentication. This missing capability check permits unauthorized manipulation of campaign data, impacting the integrity of those records. The flaw is a classic case of Missing Authorization (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate risk; the EPSS score is lower than 1%, implying a very low exploitation probability at present. The vulnerability is not listed in the CISA KEV catalog. Because the function can be called without authentication, the likely attack vector is a direct web request to the registerAssociateFormsWithCampaign endpoint, allowing an unauthenticated user to execute the association operation."}}}}, "created": "2025-10-06T14:42:04.863046+00:00", "updated": "2026-04-22T01:00:04.351916+00:00", "vendors": ["givew", "givew$PRODUCT$donation_plugin_and_fundraising_platform", "wordpress", "wordpress$PRODUCT$wordpress"]}