Cyber Resilience

CVE-2025-2025

Medium

Published: 15 March 2025

Published
15 March 2025
Modified
25 March 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0023 46.1th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2025 is a medium-severity Missing Authorization (CWE-862) vulnerability in Givewp Givewp. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-2025, published on 2025-03-15T12:15:12.207, affects the GiveWP – Donation Plugin and Fundraising Platform for WordPress in all versions up to and including 3.22.0. The vulnerability stems from a missing capability check on the give_reports_earnings() function, enabling unauthorized access to data and classified under CWE-862: Missing Authorization. It carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), indicating medium severity with high confidentiality impact.

Unauthenticated attackers can exploit this issue remotely with low complexity to disclose sensitive information contained within earnings reports. Although the CVSS vector specifies low privileges required (PR:L), the vulnerability description explicitly notes that no authentication is needed, allowing broad exposure of donation-related data on affected WordPress sites running the plugin.

References point to the vulnerable code in the plugin's reports.php file at line 304, a changeset 3252319 likely addressing the issue, the plugin's WordPress.org description page, and a Wordfence threat intelligence advisory providing further vulnerability details. Security practitioners should review these for patch implementation guidance.

EU & UK References

Vulnerability details

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the give_reports_earnings() function in all versions up to, and including, 3.22.0. This makes it possible…

more

for unauthenticated attackers to disclose sensitive information included within earnings reports.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows remote unauthenticated access to sensitive earnings reports in a public-facing WordPress plugin due to missing authorization, directly enabling exploitation of public-facing applications for data disclosure.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2023-47183Same product: Givewp Givewp
CVE-2025-0912Same product: Givewp Givewp
CVE-2025-22777Same product: Givewp Givewp
CVE-2024-12877Same product: Givewp Givewp
CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862

Affected Assets

givewp
givewp
≤ 3.22.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly addressing the missing capability check that allows unauthorized disclosure of earnings reports.

prevent

Explicitly authorizes specific actions performable without identification or authentication, preventing unauthenticated access to sensitive functions like give_reports_earnings().

prevent

Employs least privilege to restrict access to only necessary functions, mitigating broad unauthorized data exposure from missing checks.

References