The GiveWP WordPress plugin before 2.21.3 does not have CSRF in place when exporting data, and does not validate the exporting parameters such as dates, which could allow attackers to make a logged in admin DoS the web server via a CSRF attack as the plugin will try to retrieve data from the database many times which leads to overwhelm the target's CPU.
El plugin GiveWP de WordPress versiones anteriores a 2.21.3, no presenta comprobación de tipo CSRF cuando exporta datos, y no comprueba los parámetros de exportación como las fechas, lo que podría permitir a atacantes hacer que un administrador conectado haga DoS al servidor web por medio de un ataque de tipo CSRF, ya que el plugin intentará recuperar datos de la base de datos muchas veces, lo que conlleva a abrumar la CPU del objetivo
The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.21.2. This is due to missing or incorrect nonce validation on the can_export function. This makes it possible for unauthenticated attackers to trigger report exports via forged request granted they can trick a site administrator into performing an action such as clicking on a link.
