CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
What the vulnerability does
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized view and modification of data due to an insufficient capability check on the permissionsCheck functions in all versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to view or delete fundraising campaigns, view donors' data, modify campaign events, etc.
Explanation of Vulnerability in Simple Terms
GiveWP versions up to 4.3.0 lack proper authorization checks, allowing authenticated users with low privileges to read and modify sensitive donation data they should not access. An attacker with a standard user account can view or alter donation records and related information. Update to a version newer than 4.3.0 to restore proper access controls.
What an attacker can do
Read and modify donation records and sensitive data belonging to other users or the organization.
Potential impact on your site
Donors' personal and financial information may be exposed or altered by unauthorized users with basic site access.
Conditions required to exploit
Attacker must have a low-privilege authenticated account on the site (e.g., subscriber or donor account).
Key dates
External resources
Related vulnerabilities
