CVE-2025-7221: 
WordPress vulnerability analysis and mitigation

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress contains a vulnerability (CVE-2025-7221) discovered on August 21, 2025. The vulnerability affects all versions up to and including 4.5.0, allowing authenticated attackers with GiveWP Worker-level access or higher to modify donation statuses through unauthorized data modification due to a missing capability check in the give_update_payment_status() function (NVD CVE).

The vulnerability stems from a missing capability check in the give_update_payment_status() function, which allows authenticated users with GiveWP Worker-level access to modify donation statuses. The CVSS v3.1 score is 4.3 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability is classified as CWE-285 (Improper Authorization) (NVD CVE).

The vulnerability allows authenticated attackers with GiveWP Worker-level access to modify donation statuses, potentially compromising the integrity of donation records. This capability is not intended to be available through the user interface, indicating an unauthorized access to functionality (NVD CVE).

Users should update their GiveWP plugin to versions newer than 4.5.0 when available. The vulnerability was identified in the payment status update functionality located at plugins.trac.wordpress.org/browser/give/trunk/includes/payments/functions.php#L339 (Wordfence Source).