CVE-2025-4571: 
WordPress vulnerability analysis and mitigation

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress contains an insufficient capability check vulnerability (CVE-2025-4571) in versions up to and including 4.3.0. The vulnerability exists in the permissionsCheck functions across multiple endpoints, allowing authenticated attackers with Contributor-level access or higher to perform unauthorized actions (NVD).

The vulnerability stems from improper authorization checks in multiple plugin endpoints. The affected components include campaign management, donor data access, event management, and other administrative functions. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. The issue is classified as CWE-862: Missing Authorization (NVD, Wordfence).

The vulnerability allows authenticated attackers with Contributor-level access to perform unauthorized actions including viewing and deleting fundraising campaigns, accessing donors' personal data, and modifying campaign events. This represents a significant breach of access control that could compromise sensitive donor information and campaign integrity (NVD).

The vulnerability has been patched in version 4.3.1 of the GiveWP plugin. Users are strongly advised to update to this version immediately. The fix includes updated permission checks across multiple endpoints to properly validate user capabilities before allowing access to sensitive functions (WordPress Plugin).