CVE-2025-4571
BaseFortify
Publication date: 2025-06-19
Last updated on: 2025-07-10
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| givewp | givewp | to 4.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-4571 is a security vulnerability in the GiveWP WordPress plugin (Donation Plugin and Fundraising Platform) affecting all versions up to and including 4.3.0. The vulnerability arises from insufficient capability checks in the permissionsCheck functions across multiple REST API endpoints. This flaw allows authenticated users with Contributor-level access or higher to bypass proper permission restrictions, enabling them to view or delete fundraising campaigns, access donors' data, and modify campaign events without proper authorization. [7]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access and modification of sensitive data within the GiveWP plugin. Specifically, attackers with Contributor-level access or above can view or delete fundraising campaigns, access personal donor information, and modify campaign events. This could result in data breaches, loss or manipulation of fundraising data, and potential disruption of fundraising activities on affected WordPress sites. [7]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized access to GiveWP plugin REST API endpoints due to insufficient permission checks. Detection can be done by monitoring REST API requests to the affected endpoints such as campaigns, donors, events, and logs, especially those made by users with Contributor-level access or above. You can detect suspicious activity by checking for unauthorized GET, DELETE, or PUT/PATCH requests to endpoints like: - /give-api/v2/campaigns/list-table (GET, DELETE) - /give-api/v2/admin/donors (GET) - /give-api/v2/events-tickets/event/<event_id> (PUT/PATCH) - /give-api/v2/logs/get-logs (GET) Suggested commands to detect such activity on a system with access to web server logs: 1. Using grep to find REST API calls to GiveWP endpoints: ``` grep -E '"(GET|DELETE|PUT|PATCH) /give-api/v2/(campaigns|admin/donors|events-tickets/event|logs/get-logs)' /path/to/access.log ``` 2. To identify requests made by users with lower privileges (if user info is logged), filter logs for Contributor-level users or unknown users. 3. Use WordPress audit or security plugins to log REST API requests and check for unauthorized access attempts. 4. If you have access to the WordPress database or can run WP-CLI commands, you can audit user roles and capabilities to identify users with Contributor-level access who might exploit this. Note: The vulnerability is related to insufficient capability checks in the plugin's REST API endpoints, so monitoring REST API usage and permission enforcement failures (HTTP 403 or 401 responses) can help detect exploitation attempts. [1, 2, 3, 4, 5, 6]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the GiveWP plugin to version 4.3.1 or later, where the vulnerability CVE-2025-4571 has been fixed by enforcing stricter and more appropriate permission checks across all affected REST API endpoints and administrative functions. This update ensures that only users with proper capabilities (such as 'manage_options', 'edit_give_payments', 'delete_give_payments', or 'edit_give_forms') can view, modify, or delete sensitive data. If updating immediately is not possible, as a temporary measure, restrict access to the affected REST API endpoints by limiting user roles that can authenticate or by applying firewall or web server rules to block suspicious REST API requests from users with insufficient privileges. Additionally, review and tighten user roles and capabilities in WordPress to minimize the number of users with Contributor-level or higher access who do not require it. In summary: 1. Update GiveWP plugin to version 4.3.1 or later. 2. Restrict REST API access to authorized users only. 3. Review and adjust user roles and capabilities. 4. Monitor logs for suspicious activity. These steps will mitigate the risk of unauthorized data access or modification due to this vulnerability. [7]