{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7221", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-07T14:36:20.359Z", "datePublished": "2025-08-21T05:28:14.137Z", "dateUpdated": "2026-04-08T17:05:07.638Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:07.638Z"}, "affected": [{"vendor": "stellarwp", "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.5.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the give_update_payment_status() function in all versions up to, and including, 4.5.0. This makes it possible for authenticated attackers, with GiveWP Worker-level access and above, to update donations statuses. This ability is not present in the user interface."}], "title": "GiveWP \u2013 Donation Plugin and Fundraising Platform <= 4.5.0 - Missing Authorization to Donation Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8766608e-df72-4b9d-a301-a50c64fadc9a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/give/trunk/includes/payments/functions.php#L339"}, {"url": "https://plugins.trac.wordpress.org/changeset/3333090/give"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-285 Improper Authorization", "cweId": "CWE-285", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Brian Sans-Souci"}], "timeline": [{"time": "2025-07-07T17:40:23.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-08-20T16:38:25.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-21T15:03:29.731388Z", "id": "CVE-2025-7221", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-21T15:03:37.282Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7221", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-21T15:03:29.731388Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-21T15:03:34.107Z"}}], "cna": {"title": "GiveWP \u2013 Donation Plugin and Fundraising Platform <= 4.5.0 - Missing Authorization to Donation Update", "credits": [{"lang": "en", "type": "finder", "value": "Brian Sans-Souci"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "stellarwp", "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.5.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-07T17:40:23.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-08-20T16:38:25.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8766608e-df72-4b9d-a301-a50c64fadc9a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/give/trunk/includes/payments/functions.php#L339"}, {"url": "https://plugins.trac.wordpress.org/changeset/3333090/give"}], "descriptions": [{"lang": "en", "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the give_update_payment_status() function in all versions up to, and including, 4.5.0. This makes it possible for authenticated attackers, with GiveWP Worker-level access and above, to update donations statuses. This ability is not present in the user interface."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285 Improper Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:07.638Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7221", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:05:07.638Z", "dateReserved": "2025-07-07T14:36:20.359Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-21T05:28:14.137Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:givewp:givewp:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "DAFC5FC8-243E-4095-9AF8-97E5555861D5", "versionEndExcluding": "4.6.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the give_update_payment_status() function in all versions up to, and including, 4.5.0. This makes it possible for authenticated attackers, with GiveWP Worker-level access and above, to update donations statuses. This ability is not present in the user interface."}, {"lang": "es", "value": "El complemento GiveWP \u2013 Donation Plugin and Fundraising Platform para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a la falta de una comprobaci\u00f3n de capacidad en la funci\u00f3n give_update_payment_status() en todas las versiones hasta la 4.5.0 incluida. Esto permite que atacantes autenticados, con acceso de nivel Worker de GiveWP y superior, actualicen el estado de las donaciones. Esta funci\u00f3n no est\u00e1 disponible en la interfaz de usuario."}], "id": "CVE-2025-7221", "lastModified": "2025-12-03T13:30:05.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-08-21T06:15:34.143", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/give/trunk/includes/payments/functions.php#L339"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3333090/give"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8766608e-df72-4b9d-a301-a50c64fadc9a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T19:17:54.242599+00:00", "value": {"mitigation_remediation": ["Upgrade GiveWP to the latest version (4.5.1 or later) to restore proper capability checks.", "Review and minimize Worker-level permissions, ensuring only trusted accounts retain the ability to manage donations.", "If an immediate upgrade is not possible, temporarily revoke GiveWP Worker capability from all users except those who must manage donations or implement a custom patch that blocks status changes by unauthorized roles."], "summary": {"action": "Update plugin", "impact": "Unauthorized modification of donation status"}, "threat_synthesis": {"affected_systems": "The issue affects the GiveWP \u2013 Donation Plugin and Fundraising Platform provided by StellarWP, versions up to and including 4.5.0, deployed on WordPress installations.", "description_and_impact": "The vulnerability arises from a missing capability check in the give_update_payment_status() function, allowing any authenticated user with GiveWP Worker-level access or higher to change the status of a donation. This flaw does not appear in the user interface but can be exploited through the plugin's backend logic. The impact is that attackers can alter donation records to mark funds as collected, refunded, or otherwise modified, undermining financial integrity and potentially defrauding donors or administrators. The flaw is a classic missing authorization check (CWE\u2011285) and is likely exploited via the plugin\u2019s API or backend interface by an authenticated user with Worker-level or higher capability.", "risk_and_exploitability": "With a CVSS score of 4.3 the flaw is of moderate severity, and an EPSS score of less than 1% indicates a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated and possess at least Worker-level capability; exploitation can occur via the plugin's API or back\u2011end interfaces. No external input is required to trigger the flaw."}}}}, "created": "2025-08-21T12:30:43.781416+00:00", "updated": "2026-04-21T19:30:06.080930+00:00", "vendors": ["givew", "givew$PRODUCT$donation_plugin_and_fundraising_platform", "wordpress", "wordpress$PRODUCT$wordpress"]}