CVE-2025-2025
Published: 15 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-2025, published on 2025-03-15T12:15:12.207, affects the GiveWP – Donation Plugin and Fundraising Platform for WordPress in all versions up to and including 3.22.0. The vulnerability stems from a missing capability check on the give_reports_earnings() function, enabling unauthorized access to data and classified under CWE-862: Missing Authorization. It carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), indicating medium severity with high confidentiality impact.
Unauthenticated attackers can exploit this issue remotely with low complexity to disclose sensitive information contained within earnings reports. Although the CVSS vector specifies low privileges required (PR:L), the vulnerability description explicitly notes that no authentication is needed, allowing broad exposure of donation-related data on affected WordPress sites running the plugin.
References point to the vulnerable code in the plugin's reports.php file at line 304, a changeset 3252319 likely addressing the issue, the plugin's WordPress.org description page, and a Wordfence threat intelligence advisory providing further vulnerability details. Security practitioners should review these for patch implementation guidance.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability allows remote unauthenticated access to sensitive earnings reports in a public-facing WordPress plugin due to missing authorization, directly enabling exploitation of public-facing applications for data disclosure.