💥 GiveWP data leak: over 100,000 WordPress sites affected

Information exposure flaw affects GiveWP donation plugin

A vulnerability in the plugin GiveWP exposes donor names and emails on thousands of WordPress sites. No login required. Find out what happened, why it's controversial... and most importantly, how to protect yourself.

What are the practical consequences?

If you use GiveWP, you should know that this flaw allows an ordinary visitor to collect information from your donors. And we're talking about sensitive personal data here: first name, surname, email address, donor ID...

➡️ Direct risks :

• Violation of RGPD
• Fraud targeted (phishing, identity theft)
• Loss of confidence of your donors

(Very) strong reactions on Github

The community was quick to react, and not gently.

Visit Github page for this problem was flooded with messages of dissatisfaction, some of them furious. Support reportedly ignored the problem at first.

Each intervention by the Community Manager results in a shower of downvotes 👎.

One user sums it up well: «This was not a minor issue. This was a massive security and privacy issue ?« 

The difficulty, of course, is to manage the data leakage from disgruntled customers...

«We, as the responsible party, self-reported to Troy Hunt and HIBP so they could notify the donor affected. I am receiving emails from rightfully upset donors that do not care that GiveWP was the cause of the leak, they care the Pi-hole had their data, Pi-hole caused their data to be released and thus Pi-hole will be responsible for their damages. We are getting threats of action against us under GDPR.»

dschaper - From GitHub Comment

What if you use GiveWP?

Visit actions to be taken immediately :

🔄 1. update GiveWP to version 4.6.1

The the only version that fixes this vulnerability.

🔍 2. Checks whether data may have been exposed

In concrete terms... If you had the plugin, then the risk is present as soon as a single visitor has been able to visit your site. The more popular the site, the greater the risk.

📢 3. inform your users in the event of a leak

Transparency = trust. If you have the slightest doubt about an actual leak, take the initiative:

• Notify the donors concerned (email, notification, message on your website...)
• Give them simple advice: change their password if they have one, stay alert to phishing attempts, etc.

🏛️ 4. In France: Notify CNIL if necessary

If the leak represents a risk to rights and freedoms of the people involved (which is often the case with names + emails), you have 72 hours to declare it to the CNIL after becoming aware of it.

⚠️ This is an obligation under the RGPD (Article 33).

➕ If the risk is high, you must also inform those concerned directly.

More on : https://www.cnil.fr/fr/notifier-une-violation-de-donnees-personnelles

Impact at LRob

At LRob, only one site has this plugin, and the plugin is deactivated there.
I guess we still don't host enough associations.

No impact to report, then.

Useful resources for further reading

• 🔗 Changelog GiveWP - version 4.6.1
• 🔗 Details of the flaw by WordFence
• 🔗 GitHub issue of the controversy

In conclusion: stay vigilant

A flaw like this reminds us that even the most popular plugins can carry risks.

🛡️ Protect your donors. Strengthen your security. Stay up-to-date.

💡 Need a hand with safety?

Tired of having to monitor every vulnerability, every plugin, every CVE?

With the web hosting LRob, you benefit from automated monitoring, a real-time blocking and clear notifications when a problem is detected. If need be, we'll take care of everything for you thanks to the webmastering offers.

👉 All our services on portal.lrob.fr/ 🚀🔒