CVE-2025-2331 highlights a severe security vulnerability in the GiveWP — Donation Plugin and Fundraising Platform for WordPress, which affects all versions up to and including 3.22.1. This flaw allows any authenticated WordPress user with a subscriber role or higher to access reports containing details like donor names and donation amounts, due to poor permission handling in the plugin’s permissionsCheck function.
What is GiveWP and Why Is This a Big Deal?
GiveWP is one of the most popular donation plugins used by charities, nonprofits, and individuals to collect funds through their WordPress websites. Because sensitive information about financial transactions and donors is involved, any leak from this system is extremely critical and may expose organizations to legal or reputational risks.
The Root Cause
At the heart of the issue is the permissionsCheck function in GiveWP. This function is meant to ensure that only authorized users can access certain endpoints, like those returning financial reports and donor data.
However, in versions up to 3.22.1, this check was improperly implemented. Instead of checking for a proper capability (like manage_give_settings or view_give_reports), it allowed any logged-in user (including subscribers) to pass the check.
Sample Snippet (Vulnerable Code)
public function permissionsCheck( $request ) {
// BAD: This only checks if user is logged in!
if ( is_user_logged_in() ) {
return true;
}
return new WP_Error( 'rest_forbidden', __( 'You do not have permissions to access this endpoint.', 'give' ), array( 'status' => 401 ) );
}
Correct Approach (What It Should Be)
public function permissionsCheck( $request ) {
// GOOD: Check specific capabilities!
if ( current_user_can('manage_give_settings') ) { // Or whatever is appropriate
return true;
}
return new WP_Error( 'rest_forbidden', __( 'You do not have permissions to access this endpoint.', 'give' ), array( 'status' => 401 ) );
}
How Can This Be Exploited?
An attacker only needs any valid login (even a regular Subscriber account, which many sites allow for comments or memberships), and they can call the GiveWP REST API endpoints like /wp-json/give-api/v2/reports/ to extract sensitive details.
Send a GET request to sensitive endpoints
GET /wp-json/give-api/v2/reports/?type=donations&period=all
Authorization: Bearer <subscriber's token>
Host: target-wordpress-site.com
Extract Response:
The response contains full details on all donors, their emails, donation dates, and the amounts donated.
Donation amount and frequency
- Dates/times of each donation
Recurring payment info (possibly partial card data)
- Funnel/source (if tracked)
Real-World Impact
This flaw means anyone who can register or log in on your site can drain your donor list, which could be resold, used for phishing, or cause reputational/contractual damage to your nonprofit or business.
Quick Fixes and Remediation
- Update GiveWP: As soon as a patched version is released, update immediately. Check the plugin release page.
Audit User Roles: Remove unnecessary accounts, especially low-privileged accounts.
- Custom Hardening: Use a plugin or mu-plugin to enforce stricter REST API permissions if you cannot update immediately.
Here’s a quick snippet for disabling public REST routes for GiveWP
add_filter( 'rest_authentication_errors', function( $result ) {
if ( ! current_user_can('manage_give_settings') ) {
return new WP_Error( 'rest_forbidden', __( 'You do not have permission to view GiveWP reports.' ), array( 'status' => 403 ) );
}
return $result;
});
References & Original Reports
- Wordfence Advisory on GiveWP — Check their plugin vulnerability feed.
- Original plugin page
- GiveWP Docs
- CVE Record (pending publication)
Conclusion
CVE-2025-2331 is a classic example of how small mistakes in permission checks can lead to severe privacy issues in widely-used software. If you’re using GiveWP, check your version and update ASAP. Always review your plugins’ access control, especially when financial or private data is involved.
Timeline
Published on: 03/22/2025 12:15:26 UTC