CVE-2025-11227

Published: Oct 4, 2025Modified: Nov 26, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Exploitability: 3.9 / Impact: 2.5

Source: NVD

Description

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.10.0 via the 'registerGetForm', 'registerGetForms', 'registerGetCampaign' and 'registerGetCampaigns' functions due to a missing capability check. This makes it possible for unauthenticated attackers to extract data from private and draft donation forms, as well as archived campaigns.

Affected (1)

Products: Givewp: Givewp

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Givewp Givewp	Before 4.10.1

Related CWEs

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References (6)

https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/API/REST/V3/Routes/Campaigns/RegisterCampaignRoutes.php#L60

Source: security@wordfence.com

Product

https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/API/REST/V3/Routes/Campaigns/RegisterCampaignRoutes.php#L91

Source: security@wordfence.com

Product

https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/DonationForms/Routes/DonationFormsEntityRoute.php#L52

Source: security@wordfence.com

Product

https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/DonationForms/Routes/DonationFormsEntityRoute.php#L82

Source: security@wordfence.com

Product

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3371948%40give&new=3371948%40give&sfp_email=&sfph_mail=

Source: security@wordfence.com

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/54db1807-69ff-445c-9e02-9abce9fd3940?source=cve

Source: security@wordfence.com

Third Party Advisory

Timeline

No history available yet.