5.4

CVE-2025-4571

EPSS 0.1%
Veröffentlicht 19.06.2025 06:44:48
Zuletzt bearbeitet 10.07.2025 00:04:02
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

GiveWP – Donation Plugin and Fundraising Platform <= 4.3.0 - Missing Authorization To Authenticated (Contributor+) Campaign Data View And Modification

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized view and modification of data due to an insufficient capability check on the permissionsCheck functions in all versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to view or delete fundraising campaigns, view donors' data, modify campaign events, etc.

Mögliche Gegenmaßnahme

GiveWP – Donation Plugin and Fundraising Platform: Update to version 4.3.1, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 13

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt GiveWP – Donation Plugin and Fundraising Platform

Version *-4.3.0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Givewp ≫ Givewp SwPlatformwordpress Version < 4.3.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.1%	0.282

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://www.wordfence.com/threat-intel/vulnerabilities/id/8f03b4ef-e877-430e-a440-3af0feca818c?source=cve

Third Party Advisory

https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Campaigns/ListTable/Routes/DeleteCampaignListTable.php#L40

Product

https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/EventTickets/Routes/UpdateEvent.php#L36

Product

https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Campaigns/ListTable/Routes/GetCampaignsListTable.php#L95

Product

https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Donors/Endpoints/ListDonors.php#L31

Product

https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Donors/Endpoints/Endpoint.php#L57

Product

https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/API/Endpoints/Logs/GetLogs.php#L40

Product

https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/API/Endpoints/Logs/Endpoint.php#L26

Product

https://plugins.trac.wordpress.org/changeset/3305112/

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/8f03b4ef-e877-430e-a440-3af0feca818c

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-4571

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-4571

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-4571

EUVD