CVE-2025-7221

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the give_update_payment_status() function in all versions up to, and including, 4.5.0. This makes it possible for authenticated attackers, with GiveWP Worker-level access and above, to update donations statuses. This ability is not present in the user interface.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/give/trunk/includes/payments/functions.php#L339
https://plugins.trac.wordpress.org/changeset/3333090/give
https://www.wordfence.com/threat-intel/vulnerabilities/id/8766608e-df72-4b9d-a301-a50c64fadc9a?source=cve

Configurations

No configuration.

History

22 Aug 2025, 18:09

Type	Values Removed	Values Added
Summary		(es) El complemento GiveWP – Donation Plugin and Fundraising Platform para WordPress es vulnerable a la modificación no autorizada de datos debido a la falta de una comprobación de capacidad en la función give_update_payment_status() en todas las versiones hasta la 4.5.0 incluida. Esto permite que atacantes autenticados, con acceso de nivel Worker de GiveWP y superior, actualicen el estado de las donaciones. Esta función no está disponible en la interfaz de usuario.

21 Aug 2025, 06:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-21 06:15

Updated : 2025-08-22 18:09

NVD link : CVE-2025-7221

Mitre link : CVE-2025-7221

CVE.ORG link : CVE-2025-7221

JSON object : View

Products Affected

No product.

CWE

CWE-285

Improper Authorization

4.3 /10