CVE-2025-11227: 
WordPress vulnerability analysis and mitigation

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress (CVE-2025-11227) contains an Information Exposure vulnerability affecting all versions up to and including 4.10.0. The vulnerability was discovered on October 3, 2025, and is related to missing capability checks in several functions including 'registerGetForm', 'registerGetForms', 'registerGetCampaign', and 'registerGetCampaigns' (NVD).

The vulnerability stems from improper authorization controls in the REST API endpoints. The affected functions lack proper capability checks, which allows unauthenticated attackers to access private and draft donation forms, as well as archived campaigns. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. The issue is classified as CWE-285 (Improper Authorization) (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to extract sensitive data from private and draft donation forms, as well as archived campaigns. This could potentially expose confidential information about donations, campaigns, and organizational data that was intended to remain private (NVD).

The vulnerability has been patched in version 4.10.1 of the GiveWP plugin. The fix includes improved REST endpoint permissions for campaigns and forms. Users are advised to update to version 4.10.1 or later to protect against this vulnerability (NVD).