{"id":7835,"date":"2025-08-07T19:26:36","date_gmt":"2025-08-07T17:26:36","guid":{"rendered":"https:\/\/www.lrob.fr\/?p=7835"},"modified":"2025-08-07T19:40:12","modified_gmt":"2025-08-07T17:40:12","slug":"givewp-data-leakage-100000-wordpress-sites","status":"publish","type":"post","link":"https:\/\/www.lrob.fr\/en\/blog\/securite\/fuite-de-donnees-givewp-100-000-sites-wordpress\/","title":{"rendered":"\ud83d\udca5 GiveWP data leak: over 100,000 WordPress sites affected"},"content":{"rendered":"<h2 class=\"wp-block-heading\" id=\"une-faille-dexposition-dinformations-touche-le-plugin-de-dons-give-wp\">Information exposure flaw affects GiveWP donation plugin<\/h2>\n\n\n\n<p class=\"translation-block\">A vulnerability in the plugin <a href=\"https:\/\/wordpress.org\/plugins\/give\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">GiveWP<\/a> exposes donor names and emails on thousands of WordPress sites. No login required. Find out what happened, why it's controversial... and most importantly, how to protect yourself.<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:66.66%\">\n<h2 class=\"wp-block-heading\" id=\"le-contexte-une-faille-serieuse-dans-un-plugin-tres-utilise\">Background: a serious flaw in a widely used plugin<\/h2>\n\n\n\n<p class=\"translation-block\">The <strong>GiveWP - Donation Plugin and Fundraising Platform<\/strong> plugin, used by at least 100,000 WordPress sites to manage donations, was recently hit by an <strong>information exposure flaw (CWE-200)<\/strong>.<\/p>\n\n\n\n<p class=\"translation-block\">This vulnerability allows <strong>anyone<\/strong> to retrieve the list of donors<\/strong> - names, email addresses, credentials - without needing to be logged in or have special privileges.<\/p>\n\n\n\n<p>And all this, simply by visiting a site.<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:33.33%\">\n<h2 class=\"wp-block-heading\">Technical details<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>CVE :<\/strong> CVE-2025-8620<\/li>\n\n\n\n<li><strong>CVSS score :<\/strong> 5.3<\/li>\n\n\n\n<li><strong>Severity level :<\/strong> Average<\/li>\n\n\n\n<li><strong>Versions concerned :<\/strong> All until the <strong>4.6.0 included<\/strong><\/li>\n\n\n\n<li><strong>Publication date :<\/strong> August 6, 2025<\/li>\n\n\n\n<li><strong>Correction in version :<\/strong> 4.6.1<\/li>\n<\/ul>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">What are the practical consequences?<\/h2>\n\n\n\n<p class=\"translation-block\">If you use GiveWP, you should know that this flaw allows <strong>an ordinary visitor<\/strong> to collect your donors' information<\/strong>. And we're talking about sensitive personal data here: first name, last name, email, donor ID...<\/p>\n\n\n\n<p>\u27a1\ufe0f <strong>Direct risks :<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"translation-block\">Violation of the <strong>RGPD<\/strong><\/li>\n\n\n\n<li class=\"translation-block\"><strong>Targeted fraud<\/strong> (phishing, identity theft)<\/li>\n\n\n\n<li class=\"translation-block\"><strong>Loss of confidence<\/strong> on the part of your donors<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">(Very) strong reactions on Github<\/h2>\n\n\n\n<p>The community was quick to react, and not gently.<\/p>\n\n\n\n<p class=\"translation-block\">The <strong><a href=\"https:\/\/github.com\/impress-org\/givewp\/issues\/8042\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Github page for this problem<\/a><\/strong> was flooded with messages of dissatisfaction, some of them furious. Support reportedly ignored the problem at first.<\/p>\n\n\n\n<p class=\"translation-block\">Each intervention by the Community Manager results in a shower of <strong>downvotes \ud83d\udc4e<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"869\" height=\"121\" src=\"https:\/\/www.lrob.fr\/wp-content\/uploads\/2025\/08\/Un-dev-se-prend-une-shitstorm-givewp.jpg\" alt=\"Example of a downvoted comment\" class=\"wp-image-7837\" srcset=\"https:\/\/www.lrob.fr\/wp-content\/uploads\/2025\/08\/Un-dev-se-prend-une-shitstorm-givewp.jpg 869w, https:\/\/www.lrob.fr\/wp-content\/uploads\/2025\/08\/Un-dev-se-prend-une-shitstorm-givewp-300x42.jpg 300w, https:\/\/www.lrob.fr\/wp-content\/uploads\/2025\/08\/Un-dev-se-prend-une-shitstorm-givewp-150x21.jpg 150w\" sizes=\"auto, (max-width: 869px) 100vw, 869px\" \/><\/figure>\n\n\n\n<p class=\"translation-block\">One user sums it up well: <em>\"This was not a minor issue. This was a massive security and privacy issue?<\/em>\"<\/p>\n\n\n\n<p>The difficulty, of course, is to manage the data leakage from disgruntled customers...<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\"We, as the responsible party, self-reported to Troy Hunt and HIBP so they could notify the donor affected. I am receiving emails from rightfully upset donors that do not care that GiveWP was the cause of the leak, they care the Pi-hole had their data, Pi-hole caused their data to be released and thus Pi-hole will be responsible for their damages. We are getting threats of action against us under GDPR.\"<\/p>\n<cite><a href=\"https:\/\/github.com\/dschaper\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">dschaper<\/a> - From <a href=\"https:\/\/github.com\/impress-org\/givewp\/issues\/8042#issuecomment-3145429867\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">GitHub Comment<\/a><\/cite><\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">What if you use GiveWP?<\/h2>\n\n\n\n<p class=\"translation-block\">Here are <strong>the actions to take immediately<\/strong>:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd04 1. update GiveWP to version 4.6.1<\/h3>\n\n\n\n<p class=\"translation-block\">This is <strong>the only version that fixes<\/strong> this vulnerability.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd0d 2. Checks whether data may have been exposed<\/h3>\n\n\n\n<p>In concrete terms... If you had the plugin, then the risk is present as soon as a single visitor has been able to visit your site. The more popular the site, the greater the risk.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udce2 3. inform your users in the event of a leak<\/h3>\n\n\n\n<p class=\"translation-block\"><strong>Transparency = trust.<\/strong> If you have the slightest doubt about an actual leak, take the lead:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Notify the donors concerned (email, notification, message on your website...)<\/li>\n\n\n\n<li>Give them simple advice: change their password if they have one, stay alert to phishing attempts, etc.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83c\udfdb\ufe0f 4. In France: Notify CNIL if necessary<\/h3>\n\n\n\n<p class=\"translation-block\">If the leak represents a <strong>risk for the rights and freedoms<\/strong> of the people concerned (which is often the case with names + emails), <strong>you have 72 hours to declare it to the CNIL<\/strong> after becoming aware of it.<\/p>\n\n\n\n<p>\u26a0\ufe0f This is an obligation under the RGPD (Article 33).<\/p>\n\n\n\n<p class=\"translation-block\">\u2795 If the risk is high, you must also <strong>inform the people concerned directly<\/strong>.<\/p>\n\n\n\n<p class=\"translation-block\">More info on : <a href=\"https:\/\/www.cnil.fr\/fr\/notifier-une-violation-de-donnees-personnelles\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.cnil.fr\/fr\/notifier-une-violation-de-donnees-personnelles<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Impact at LRob<\/h2>\n\n\n\n<p>At LRob, only one site has this plugin, and the plugin is deactivated there.<br>I guess we still don't host enough associations.<\/p>\n\n\n\n<p>No impact to report, then.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Useful resources for further reading<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\ud83d\udd17 <a href=\"https:\/\/github.com\/impress-org\/givewp\/releases\/tag\/4.6.1\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Changelog GiveWP - version 4.6.1<\/a><\/li>\n\n\n\n<li>\ud83d\udd17 <a href=\"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/give\/givewp-donation-plugin-and-fundraising-platform-460-unauthenticated-donor-data-exposure\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Details of the flaw by WordFence<\/a><\/li>\n\n\n\n<li>\ud83d\udd17 <a href=\"https:\/\/github.com\/impress-org\/givewp\/issues\/8042\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">GitHub issue of the controversy<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">In conclusion: stay vigilant<\/h2>\n\n\n\n<p>A flaw like this reminds us that even the most popular plugins can carry risks.<\/p>\n\n\n\n<p>\ud83d\udee1\ufe0f <strong>Protect your donors. Strengthen your security. Stay up-to-date.<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udca1 Need a hand with safety?<\/h2>\n\n\n\n<p>Tired of having to monitor every vulnerability, every plugin, every CVE?<\/p>\n\n\n\n<p>With the <a href=\"https:\/\/www.lrob.fr\/en\/web-hosting\/\">web hosting <strong>LRob<\/strong><\/a>you benefit from <strong>automated monitoring<\/strong>a <strong>real-time blocking<\/strong> and <strong>clear notifications<\/strong> when a problem is detected. If need be, we'll take care of everything for you thanks to the <a href=\"https:\/\/www.lrob.fr\/en\/services\/wordpress-webmastering\/\">webmastering offers<\/a>.<\/p>\n\n\n\n<p>\ud83d\udc49 All our services on <a class=\"\" href=\"https:\/\/www.lrob.fr\/en\/\">www.lrob.fr<\/a> \ud83d\ude80\ud83d\udd12<\/p>\n\n\n\n<p><\/p>","protected":false},"excerpt":{"rendered":"<p class=\"translation-block\">A vulnerability in the plugin <a href=\"https:\/\/wordpress.org\/plugins\/give\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">GiveWP<\/a> exposes donor names and emails on thousands of WordPress sites. No login required. Find out what happened, why it's controversial... and most importantly, how to protect yourself.<\/p>","protected":false},"author":1,"featured_media":7841,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[28],"tags":[],"class_list":["post-7835","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-securite"],"_links":{"self":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/posts\/7835","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/comments?post=7835"}],"version-history":[{"count":3,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/posts\/7835\/revisions"}],"predecessor-version":[{"id":7842,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/posts\/7835\/revisions\/7842"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/media\/7841"}],"wp:attachment":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/media?parent=7835"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/categories?post=7835"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/tags?post=7835"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}