{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-2025", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-06T01:06:40.782Z", "datePublished": "2025-03-15T11:13:27.773Z", "dateUpdated": "2026-04-08T16:48:22.476Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:22.476Z"}, "affected": [{"vendor": "stellarwp", "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.22.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the give_reports_earnings() function in all versions up to, and including, 3.22.0. This makes it possible for unauthenticated attackers to disclose sensitive information included within earnings reports."}], "title": "Give <= 3.22.0 - Missing Authorization to Unauthenticated Arbitrary Earning Reports Disclosure via give_reports_earnings Function", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/40595943-121d-4492-a0ed-f2de1bd99fda?source=cve"}, {"url": "https://wordpress.org/plugins/give/#description"}, {"url": "https://plugins.trac.wordpress.org/browser/give/trunk/includes/admin/reports/reports.php#L304"}, {"url": "https://plugins.trac.wordpress.org/changeset/3252319/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "timeline": [{"time": "2025-03-14T22:39:51.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-17T21:25:13.704415Z", "id": "CVE-2025-2025", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-17T21:27:44.640Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2025", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-17T21:25:13.704415Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-17T21:25:14.899Z"}}], "cna": {"title": "Give <= 3.22.0 - Missing Authorization to Unauthenticated Arbitrary Earning Reports Disclosure via give_reports_earnings Function", "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "givewp", "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.22.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-14T22:39:51.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/40595943-121d-4492-a0ed-f2de1bd99fda?source=cve"}, {"url": "https://wordpress.org/plugins/give/#description"}, {"url": "https://plugins.trac.wordpress.org/browser/give/trunk/includes/admin/reports/reports.php#L304"}, {"url": "https://plugins.trac.wordpress.org/changeset/3252319/"}], "descriptions": [{"lang": "en", "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the give_reports_earnings() function in all versions up to, and including, 3.22.0. This makes it possible for unauthenticated attackers to disclose sensitive information included within earnings reports."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-03-15T11:13:27.773Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2025", "state": "PUBLISHED", "dateUpdated": "2025-03-17T21:27:44.640Z", "dateReserved": "2025-03-06T01:06:40.782Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-15T11:13:27.773Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:givewp:givewp:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "5A1816C4-2BDF-403C-B19E-B90DAF9FF151", "versionEndExcluding": "3.22.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the give_reports_earnings() function in all versions up to, and including, 3.22.0. This makes it possible for unauthenticated attackers to disclose sensitive information included within earnings reports."}, {"lang": "es", "value": "El complemento GiveWP \u2013 Donation Plugin and Fundraising Platform para WordPress es vulnerable al acceso no autorizado a los datos debido a la falta de una comprobaci\u00f3n de capacidad en la funci\u00f3n give_reports_earnings() en todas las versiones hasta la 3.22.0 incluida. Esto permite que atacantes no autenticados divulguen informaci\u00f3n confidencial incluida en los informes de ganancias."}], "id": "CVE-2025-2025", "lastModified": "2025-03-25T19:48:15.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-15T12:15:12.207", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/give/trunk/includes/admin/reports/reports.php#L304"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3252319/"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://wordpress.org/plugins/give/#description"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/40595943-121d-4492-a0ed-f2de1bd99fda?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T01:52:24.412075+00:00", "value": {"mitigation_remediation": ["Update the GiveWP plugin to the newest available release that includes the missing capability check.", "If an immediate update is not possible, restrict access to the Earnings Reports section by adding an `add_submenu_page` `capability` check or by removing the page via plugin hooks so only authenticated administrators can view the reports.", "Monitor web server logs for abnormal access patterns to the reports endpoint and block IPs that repeatedly request earnings data from unauthenticated sessions."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Disclosure of Earnings Reports"}, "threat_synthesis": {"affected_systems": "WordPress sites that host the stellarwp:GiveWP \u2013 Donation Plugin and Fundraising Platform in any version up to 3.22.0 are affected. Administrators should verify the installed plugin version and apply the latest release to mitigate the risk. No other vendors or products are mentioned in the vulnerability report.", "description_and_impact": "The vulnerability arises from a missing capability check in the give_reports_earnings() function of the GiveWP \u2013 Donation Plugin and Fundraising Platform. This weakness permits any unauthenticated visitor to request earnings reports and retrieve sensitive financial and donor information. The flaw is classified as Missing Authorization (CWE-862) and could compromise confidentiality of donor data and financial statements but does not affect ability to perform other operations or to modify data.", "risk_and_exploitability": "The CVSS score of 6.5 reflects a moderate impact, and with an EPSS score of < 1\u202f% the likelihood of automated exploitation is low. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers are inferred to be able to trigger the flaw by invoking the give_reports_earnings function or its corresponding admin endpoint without authentication. Successful execution would expose earnings data to the attacker."}}}}, "created": "2026-04-22T02:00:05.038232+00:00", "updated": "2026-04-22T02:00:05.038242+00:00", "vendors": []}