CVE-2025-8620: 
WordPress vulnerability analysis and mitigation

CVE-2025-8620 affects the GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress in versions up to and including 4.6.0. The vulnerability was discovered and disclosed in August 2025, with the initial CVE record being published on August 6, 2025. This security issue allows unauthenticated attackers to extract sensitive donor information including names, emails, and donor IDs (NVD).

The vulnerability is classified as an Information Exposure issue (CWE-200) that exposes sensitive donor information directly in the website's source code. The vulnerability exists within the GiveDonationOptions JavaScript object where donor information is inadvertently exposed. The CVSS v3.1 base score is 5.3 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating that the vulnerability can be exploited remotely without requiring privileges or user interaction (Wordfence).

The vulnerability exposes donor names, email addresses, and donor IDs to potential attackers. However, it's important to note that payment information, billing details, passwords, credentials, and administrative data were not exposed in this vulnerability (LinkedIn).

The vulnerability has been patched in version 4.6.1 of the GiveWP plugin. Site administrators are strongly advised to update their GiveWP plugin immediately to this version to restore full donor privacy protections. The update can be performed through the WordPress Dashboard by navigating to Plugins > Installed Plugins and updating GiveWP to the latest version (LinkedIn).

The vulnerability was initially reported through GitHub issues, where security researchers highlighted the exposure of donor information. GiveWP responded promptly by releasing a critical privacy fix and actively communicating with users through various channels including LinkedIn about the importance of updating to the patched version (GitHub, LinkedIn).