💥 GiveWP data leak: over 100,000 WordPress sites affected

Information exposure flaw affects GiveWP donation plugin

A vulnerability in the plugin GiveWP exposes donor names and emails on thousands of WordPress sites. No login required. Find out what happened, why it's controversial... and most importantly, how to protect yourself.

What are the practical consequences?

If you use GiveWP, you should know that this flaw allows an ordinary visitor to collect your donors' information. And we're talking about sensitive personal data here: first name, last name, email, donor ID...

➡️ Direct risks :

• Violation of the RGPD
• Targeted fraud (phishing, identity theft)
• Loss of confidence on the part of your donors

(Very) strong reactions on Github

The community was quick to react, and not gently.

The Github page for this problem was flooded with messages of dissatisfaction, some of them furious. Support reportedly ignored the problem at first.

Each intervention by the Community Manager results in a shower of downvotes 👎.

One user sums it up well: "This was not a minor issue. This was a massive security and privacy issue?"

The difficulty, of course, is to manage the data leakage from disgruntled customers...

"We, as the responsible party, self-reported to Troy Hunt and HIBP so they could notify the donor affected. I am receiving emails from rightfully upset donors that do not care that GiveWP was the cause of the leak, they care the Pi-hole had their data, Pi-hole caused their data to be released and thus Pi-hole will be responsible for their damages. We are getting threats of action against us under GDPR."

dschaper - From GitHub Comment

What if you use GiveWP?

Here are the actions to take immediately:

🔄 1. update GiveWP to version 4.6.1

This is the only version that fixes this vulnerability.

🔍 2. Checks whether data may have been exposed

In concrete terms... If you had the plugin, then the risk is present as soon as a single visitor has been able to visit your site. The more popular the site, the greater the risk.

📢 3. inform your users in the event of a leak

Transparency = trust. If you have the slightest doubt about an actual leak, take the lead:

• Notify the donors concerned (email, notification, message on your website...)
• Give them simple advice: change their password if they have one, stay alert to phishing attempts, etc.

🏛️ 4. In France: Notify CNIL if necessary

If the leak represents a risk for the rights and freedoms of the people concerned (which is often the case with names + emails), you have 72 hours to declare it to the CNIL after becoming aware of it.

⚠️ This is an obligation under the RGPD (Article 33).

➕ If the risk is high, you must also inform the people concerned directly.

More info on : https://www.cnil.fr/fr/notifier-une-violation-de-donnees-personnelles

Impact at LRob

At LRob, only one site has this plugin, and the plugin is deactivated there.
I guess we still don't host enough associations.

No impact to report, then.

Useful resources for further reading

• 🔗 Changelog GiveWP - version 4.6.1
• 🔗 Details of the flaw by WordFence
• 🔗 GitHub issue of the controversy

In conclusion: stay vigilant

A flaw like this reminds us that even the most popular plugins can carry risks.

🛡️ Protect your donors. Strengthen your security. Stay up-to-date.

💡 Need a hand with safety?

Tired of having to monitor every vulnerability, every plugin, every CVE?

With the web hosting LRobyou benefit from automated monitoringa real-time blocking and clear notifications when a problem is detected. If need be, we'll take care of everything for you thanks to the webmastering offers.

👉 All our services on www.lrob.fr 🚀🔒