CVE-2025-2331: 
WordPress vulnerability analysis and mitigation

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 3.22.1. The vulnerability was discovered on March 22, 2025, and is tracked as CVE-2025-2331. The issue stems from a misconfigured capability check in the 'permissionsCheck' function, which affects WordPress installations using this popular donation plugin (NVD).

The vulnerability exists due to a misconfigured capability check in the 'permissionsCheck' function within the Reports Endpoint API. The issue allows authenticated users with Subscriber-level access and above to access sensitive data through the API endpoint. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The weakness is classified as CWE-200: Exposure of Sensitive Information to an Unauthorized Actor (NVD, Wordfence).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to extract sensitive information including reports detailing donors and donation amounts. This unauthorized access to donor information could potentially compromise donor privacy and financial data (NVD).

The issue has been addressed in version 3.22.2 of the GiveWP plugin, as evidenced by the update released on March 19, 2025. Users are strongly advised to update to this latest version to protect against potential exploitation (WordPress Plugin).