{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-2331", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-14T23:28:16.875Z", "datePublished": "2025-03-22T11:18:41.524Z", "dateUpdated": "2026-04-08T17:17:05.360Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:05.360Z"}, "affected": [{"vendor": "stellarwp", "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.22.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.22.1 via a misconfigured capability check in the 'permissionsCheck' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including reports detailing donors and donation amounts."}], "title": "GiveWP \u2013 Donation Plugin and Fundraising Platform <= 3.22.1 - Authenticated (Subscriber+) Sensitive Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b4d9acfb-bb9d-4b00-b439-c7ccea751f8d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/API/Endpoints/Reports/Endpoint.php?rev=3252319#L68"}, {"url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/API/Endpoints/Reports/Endpoint.php?rev=3252319#L117"}, {"url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/API/Endpoints/Reports/Endpoint.php?rev=3252319#L227"}, {"url": "https://plugins.trac.wordpress.org/changeset/3258797/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "cweId": "CWE-200", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Brian Sans-Souci"}], "timeline": [{"time": "2025-03-21T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-24T19:19:54.570297Z", "id": "CVE-2025-2331", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-24T19:20:44.727Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2331", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-24T19:19:54.570297Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-24T19:20:05.730Z"}}], "cna": {"title": "GiveWP \u2013 Donation Plugin and Fundraising Platform <= 3.22.1 - Authenticated (Subscriber+) Sensitive Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Brian Sans-Souci"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "stellarwp", "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.22.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-21T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b4d9acfb-bb9d-4b00-b439-c7ccea751f8d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/API/Endpoints/Reports/Endpoint.php?rev=3252319#L68"}, {"url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/API/Endpoints/Reports/Endpoint.php?rev=3252319#L117"}, {"url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/API/Endpoints/Reports/Endpoint.php?rev=3252319#L227"}, {"url": "https://plugins.trac.wordpress.org/changeset/3258797/"}], "descriptions": [{"lang": "en", "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.22.1 via a misconfigured capability check in the 'permissionsCheck' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including reports detailing donors and donation amounts."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:05.360Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2331", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:17:05.360Z", "dateReserved": "2025-03-14T23:28:16.875Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-22T11:18:41.524Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:givewp:givewp:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "A07B7FF8-F44A-477C-9339-ABEF97D27925", "versionEndExcluding": "3.22.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.22.1 via a misconfigured capability check in the 'permissionsCheck' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including reports detailing donors and donation amounts."}, {"lang": "es", "value": "El complemento GiveWP \u2013 Donation Plugin and Fundraising Platform para WordPress es vulnerable a la Exposici\u00f3n de Informaci\u00f3n Sensible en todas las versiones hasta la 3.22.1 incluida, debido a una comprobaci\u00f3n de capacidad mal configurada en la funci\u00f3n \"permissionsCheck\". Esto permite a atacantes autenticados, con acceso de suscriptor o superior, extraer datos sensibles, incluyendo informes que detallan los donantes y los montos de las donaciones."}], "id": "CVE-2025-2331", "lastModified": "2025-08-11T14:17:42.643", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-22T12:15:26.833", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/API/Endpoints/Reports/Endpoint.php?rev=3252319#L117"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/API/Endpoints/Reports/Endpoint.php?rev=3252319#L227"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/API/Endpoints/Reports/Endpoint.php?rev=3252319#L68"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/changeset/3258797/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b4d9acfb-bb9d-4b00-b439-c7ccea751f8d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@wordfence.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T21:46:21.552524+00:00", "value": {"mitigation_remediation": ["Upgrade GiveWP to version 3.22.2 or newer, which removes the misconfigured permission check.", "If an immediate upgrade is not possible, restrict the Subscriber role from the capability that allows report generation by removing the associated capability in WordPress role management or the plugin\u2019s role configuration.", "Audit the site\u2019s role and capability assignments to ensure no unauthorized users have reporting access, especially if custom roles or plugins are used to extend permissions."], "summary": {"action": "Update", "impact": "Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "Affects all versions of the GiveWP plugin for WordPress up to and including 3.22.1, regardless of the WordPress core version. Users who run any vulnerable version of the plugin, whether on public or private sites, are at risk.", "description_and_impact": "The vulnerability resides in a misconfigured capability check within the permissionsCheck function of the GiveWP Donation Plugin and Fundraising Platform. This flaw (CWE-200, Sensitive Information Exposure) allows authenticated users who have Subscriber-level roles or higher to access API endpoints and retrieve donor reports that include amounts and personal information. The impact is the exposure of confidential data, violating the confidentiality property and potentially leading to privacy breaches for donors.", "risk_and_exploitability": "The CVSS score of 5.3 reflects moderate severity, while the EPSS score indicates a very low likelihood of exploitation (under 1 percent). The vulnerability requires legitimate credentials, so it is limited to authenticated subscribers or higher-level accounts. The attacker can exploit the flaw by calling the relevant API endpoints to pull sensitive donation data; the absence of a KEV listing further underlines the current low exploitation probability."}}}}, "created": "2026-04-21T22:00:26.591003+00:00", "updated": "2026-04-21T22:00:26.591040+00:00", "vendors": []}