CVE-2025-2025 MEDIUM

CVE-2025-2025: Give <= 3.22.0 - Missing Authorization to Unauthenticated Arbitrary Earning Reports Disclosure via give_reports_earnings Function

Vendor Stellarwp
Product GiveWP – Donation Plugin and Fundraising Platform
Weakness CWE-862 · Missing authorization
Published March 15, 2025
Last update April 8, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the give_reports_earnings() function in all versions up to, and including, 3.22.0. This makes it possible for unauthenticated attackers to disclose sensitive information included within earnings reports.

Explanation of Vulnerability in Simple Terms

02Summary

GiveWP versions up to 3.22.0 lack proper authorization checks, allowing authenticated users with low privileges to read sensitive donation data they should not access. An attacker with a standard user account can retrieve confidential information about donations and donors. The vulnerability does not allow modification or deletion of data, only unauthorized viewing.

What an attacker can do

03Attacker Capabilities

Read sensitive donation and donor information without proper authorization.

Potential impact on your site

04Site Impact

Donor privacy is compromised; unauthorized users can view donation records and personal information.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege authenticated account on the site.

Key dates

06Disclosure timeline

March 15, 2025 CVE published
April 8, 2026 Record updated