CVE-2025-4571

Sažetak

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized view and modification of data due to an insufficient capability check on the permissionsCheck functions in all versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to view or delete fundraising campaigns, view donors' data, modify campaign events, etc.

Reference

https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/API/Endpoints/Logs/Endpoint.php#L26
https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/API/Endpoints/Logs/GetLogs.php#L40
https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Campaigns/ListTable/Routes/DeleteCampaignListTable.php#L40
https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Campaigns/ListTable/Routes/GetCampaignsListTable.php#L95
https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Donors/Endpoints/Endpoint.php#L57
https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/Donors/Endpoints/ListDonors.php#L31
https://plugins.trac.wordpress.org/browser/give/tags/4.2.0/src/EventTickets/Routes/UpdateEvent.php#L36
https://plugins.trac.wordpress.org/changeset/3305112/
https://www.wordfence.com/threat-intel/vulnerabilities/id/8f03b4ef-e877-430e-a440-3af0feca818c?source=cve

CVSS

Base:	5.4
Impact:	2.5
Exploitability:	2.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	LOW	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Zadnje važnije ažuriranje

19-06-2025 - 07:15

Objavljeno

19-06-2025 - 07:15