CVE-2025-8620: 
WordPress vulnerability analysis and mitigation

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress (CVE-2025-8620) contains an Information Exposure vulnerability affecting all versions up to and including 4.6.0. The vulnerability was discovered and disclosed on August 5, 2025. This security issue affects WordPress installations using the GiveWP plugin, a popular donation and fundraising platform (NVD).

The vulnerability allows unauthenticated attackers to extract sensitive donor information including names, emails, and donor IDs directly from the page source code. The issue has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD, Rapid7).

The vulnerability exposes donor personal information including names, email addresses, and donor IDs to unauthorized users. However, it's important to note that payment information, billing details, passwords, credentials, and administrative data were not exposed in this vulnerability (LinkedIn Post).

The vulnerability has been patched in version 4.6.1 of the GiveWP plugin. Site administrators are strongly advised to update their GiveWP plugin immediately to this version to restore full donor privacy protections. The update can be performed through the WordPress Dashboard under Plugins > Installed Plugins. It is recommended to backup the site before performing the update (LinkedIn Post).

GiveWP responded promptly to the vulnerability disclosure by releasing a critical privacy fix in version 4.6.1. The company has been transparent about the issue, clearly communicating what information was and wasn't exposed, and providing detailed update instructions to their users (LinkedIn Post).