CVE-2025-4571 | THREATINT

Description

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized view and modification of data due to an insufficient capability check on the permissionsCheck functions in all versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to view or delete fundraising campaigns, view donors' data, modify campaign events, etc.

PUBLISHED Reserved 2025-05-12 | Published 2025-06-19 | Updated 2026-04-08 | Assigner Wordfence

MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Problem types

CWE-862 Missing Authorization

Product status

Default status

unaffected

Any version

affected

Timeline

2025-05-07:	Discovered
2025-06-18:	Disclosed

Credits

Brian Sans-Souci finder

References

www.wordfence.com/...-e877-430e-a440-3af0feca818c?source=cve

plugins.trac.wordpress.org/...es/DeleteCampaignListTable.php

plugins.trac.wordpress.org/...Tickets/Routes/UpdateEvent.php

plugins.trac.wordpress.org/...utes/GetCampaignsListTable.php

plugins.trac.wordpress.org/...onors/Endpoints/ListDonors.php

plugins.trac.wordpress.org/.../Donors/Endpoints/Endpoint.php

plugins.trac.wordpress.org/...API/Endpoints/Logs/GetLogs.php

plugins.trac.wordpress.org/...PI/Endpoints/Logs/Endpoint.php

plugins.trac.wordpress.org/changeset/3305112/

cve.org (CVE-2025-4571)

nvd.nist.gov (CVE-2025-4571)

Download JSON

help @ threatint.eu