CVE-2025-2025

Medium

Published: 15 March 2025

Published

15 March 2025

Modified

25 March 2025

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0023 45.8th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2025 is a medium-severity Missing Authorization (CWE-862) vulnerability in Givewp Givewp. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources, directly addressing the missing capability check that allows unauthorized disclosure of earnings reports.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Explicitly authorizes specific actions performable without identification or authentication, preventing unauthenticated access to sensitive functions like give_reports_earnings().

AC-6 Least Privilege partial match

prevent

Employs least privilege to restrict access to only necessary functions, mitigating broad unauthorized data exposure from missing checks.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows remote unauthenticated access to sensitive earnings reports in a public-facing WordPress plugin due to missing authorization, directly enabling exploitation of public-facing applications for data disclosure.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the give_reports_earnings() function in all versions up to, and including, 3.22.0. This makes it possible…

for unauthenticated attackers to disclose sensitive information included within earnings reports.

Deeper analysisAI

CVE-2025-2025, published on 2025-03-15T12:15:12.207, affects the GiveWP – Donation Plugin and Fundraising Platform for WordPress in all versions up to and including 3.22.0. The vulnerability stems from a missing capability check on the give_reports_earnings() function, enabling unauthorized access to data and classified under CWE-862: Missing Authorization. It carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), indicating medium severity with high confidentiality impact.

Unauthenticated attackers can exploit this issue remotely with low complexity to disclose sensitive information contained within earnings reports. Although the CVSS vector specifies low privileges required (PR:L), the vulnerability description explicitly notes that no authentication is needed, allowing broad exposure of donation-related data on affected WordPress sites running the plugin.

References point to the vulnerable code in the plugin's reports.php file at line 304, a changeset 3252319 likely addressing the issue, the plugin's WordPress.org description page, and a Wordfence threat intelligence advisory providing further vulnerability details. Security practitioners should review these for patch implementation guidance.