What the vulnerability does
01Description
Cross-Site Request Forgery (CSRF) vulnerability in StellarWP GiveWP give allows Cross Site Request Forgery.This issue affects GiveWP: from n/a through <= 4.13.1.
CVE-2025-67467
MEDIUM
CVE-2025-67467: WordPress GiveWP plugin <= 4.13.1 - Cross Site Request Forgery (CSRF) vulnerability
CVSS base score
5.4/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Explanation of Vulnerability in Simple Terms
02Summary
GiveWP versions up to 4.13.1 are vulnerable to cross-site request forgery (CSRF) attacks. An attacker can craft a malicious webpage that, when visited by a logged-in site administrator, performs unwanted actions on the GiveWP plugin without the admin's knowledge or consent. The attacker cannot read sensitive data, but can modify settings or trigger unintended operations.
What an attacker can do
03Attacker Capabilities
Perform unwanted actions on GiveWP (modify settings, trigger operations) when a logged-in admin visits a malicious page.
Potential impact on your site
04Site Impact
An attacker can trick your admins into unknowingly changing GiveWP settings or performing actions without their consent.
Conditions required to exploit
05Prerequisites
A logged-in GiveWP administrator must visit a page controlled by the attacker (e.g., via a malicious link or email).
Key dates
06Disclosure timeline
December 9, 2025
CVE published
April 28, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2023-49855 WordPress BC Menu Bar Cart Icon For WooCommerce By Binary Carpenter Plugin <= 1.49.3 is vulnerable to Cross Site Request Forgery (CSRF)
CVE-2021-25025 Event Calendar < 1.1.51 - Subscriber+ Event Creation
CVE-2023-2474 Rebuild cross-site request forgery
CVE-2026-1468 Cross-Site Request Forgery in QuickCMS
CVE-2024-12383 Binary MLM Woocommerce <= 2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
