CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2331 – GiveWP – Donation Plugin and Fundraising Platform <= 3.22.1 - Authenticated (Subscriber+) Sensitive Information Exposure
https://notcve.org/view.php?id=CVE-2025-2331
21 Mar 2025 — The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.22.1 via a misconfigured capability check in the 'permissionsCheck' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including reports detailing donors and donation amounts. • https://plugins.trac.wordpress.org/browser/give/trunk/src/API/Endpoints/Reports/Endpoint.php?rev=3252319#L117 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2025 – Give <= 3.22.0 - Missing Authorization to Unauthenticated Arbitrary Earning Reports Disclosure via give_reports_earnings Function
https://notcve.org/view.php?id=CVE-2025-2025
14 Mar 2025 — The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the give_reports_earnings() function in all versions up to, and including, 3.22.0. This makes it possible for unauthenticated attackers to disclose sensitive information included within earnings reports. • https://plugins.trac.wordpress.org/browser/give/trunk/includes/admin/reports/reports.php#L304 • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2025-0912 – GiveWP – Donation Plugin and Fundraising Platform <= 3.19.4 - Unauthenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2025-0912
03 Mar 2025 — The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution. • https://github.com/impress-org/givewp/pull/7679/files • CWE-502: Deserialization of Untrusted Data •