{"id":7835,"date":"2025-08-07T19:26:36","date_gmt":"2025-08-07T17:26:36","guid":{"rendered":"https:\/\/www.lrob.fr\/?p=7835"},"modified":"2025-08-07T19:26:36","modified_gmt":"2025-08-07T17:26:36","slug":"givewp-data-leakage-100000-wordpress-sites","status":"publish","type":"post","link":"https:\/\/www.lrob.fr\/en\/blog\/securite-wordpress\/fuite-de-donnees-givewp-100-000-sites-wordpress\/","title":{"rendered":"\ud83d\udca5 GiveWP data leak: over 100,000 WordPress sites affected"},"content":{"rendered":"<h2 class=\"wp-block-heading\" id=\"une-faille-dexposition-dinformations-touche-le-plugin-de-dons-give-wp\">Information exposure flaw affects GiveWP donation plugin<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">A vulnerability in the plugin <a href=\"https:\/\/wordpress.org\/plugins\/give\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">GiveWP<\/a> exposes donor names and emails on thousands of WordPress sites. No login required. Find out what happened, why it's controversial... and most importantly, how to protect yourself.<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-794e3cfa wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:66.66%\">\n<h2 class=\"wp-block-heading\" id=\"le-contexte-une-faille-serieuse-dans-un-plugin-tres-utilise\">Background: a serious flaw in a widely used plugin<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The plugin <strong>GiveWP - Donation Plugin and Fundraising Platform<\/strong>, used by at least 100,000 WordPress sites to manage donations, has recently been hit by a <strong>information exposure flaw (CWE-200)<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This vulnerability allows <strong>anyone to retrieve the list of donors<\/strong> - names, email addresses, logins - without the need to be logged in or have special privileges.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">And all this, simply by visiting a site.<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:33.33%\">\n<h2 class=\"wp-block-heading\">Technical details<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>CVE :<\/strong> CVE-2025-8620<\/li>\n\n\n\n<li><strong>CVSS score :<\/strong> 5.3<\/li>\n\n\n\n<li><strong>Severity level :<\/strong> Average<\/li>\n\n\n\n<li><strong>Versions concerned :<\/strong> All until the <strong>4.6.0 included<\/strong><\/li>\n\n\n\n<li><strong>Publication date :<\/strong> August 6, 2025<\/li>\n\n\n\n<li><strong>Correction in version :<\/strong> 4.6.1<\/li>\n<\/ul>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">What are the practical consequences?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If you use GiveWP, you should know that this flaw allows <strong>an ordinary visitor to collect information from your donors<\/strong>. And we're talking about sensitive personal data here: first name, surname, email address, donor ID...<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u27a1\ufe0f <strong>Direct risks :<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Violation of <strong>RGPD<\/strong><\/li>\n\n\n\n<li><strong>Fraud<\/strong> targeted (phishing, identity theft)<\/li>\n\n\n\n<li><strong>Loss of confidence<\/strong> of your donors<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">(Very) strong reactions on Github<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The community was quick to react, and not gently.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Visit <strong><a href=\"https:\/\/github.com\/impress-org\/givewp\/issues\/8042\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Github page for this problem<\/a><\/strong> was flooded with messages of dissatisfaction, some of them furious. Support reportedly ignored the problem at first. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Each intervention by the Community Manager results in a shower of <strong>downvotes \ud83d\udc4e<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"869\" height=\"121\" src=\"https:\/\/www.lrob.fr\/wp-content\/uploads\/2025\/08\/Un-dev-se-prend-une-shitstorm-givewp.jpg\" alt=\"Example of a downvoted comment\" class=\"wp-image-7837\" srcset=\"https:\/\/www.lrob.fr\/wp-content\/uploads\/2025\/08\/Un-dev-se-prend-une-shitstorm-givewp.jpg 869w, https:\/\/www.lrob.fr\/wp-content\/uploads\/2025\/08\/Un-dev-se-prend-une-shitstorm-givewp-300x42.jpg 300w, https:\/\/www.lrob.fr\/wp-content\/uploads\/2025\/08\/Un-dev-se-prend-une-shitstorm-givewp-150x21.jpg 150w, https:\/\/www.lrob.fr\/wp-content\/uploads\/2025\/08\/Un-dev-se-prend-une-shitstorm-givewp-768x107.jpg 768w, https:\/\/www.lrob.fr\/wp-content\/uploads\/2025\/08\/Un-dev-se-prend-une-shitstorm-givewp-600x84.jpg 600w\" sizes=\"auto, (max-width: 869px) 100vw, 869px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">One user sums it up well: <em>\u00abThis was not a minor issue. This was a massive security and privacy issue ?<\/em>\u00ab\u00a0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The difficulty, of course, is to manage the data leakage from disgruntled customers...<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u00abWe, as the responsible party, self-reported to Troy Hunt and HIBP so they could notify the donor affected. I am receiving emails from rightfully upset donors that do not care that GiveWP was the cause of the leak, they care the Pi-hole had their data, Pi-hole caused their data to be released and thus Pi-hole will be responsible for their damages. We are getting threats of action against us under GDPR.\u00bb<\/p>\n<cite><a href=\"https:\/\/github.com\/dschaper\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">dschaper<\/a> - From <a href=\"https:\/\/github.com\/impress-org\/givewp\/issues\/8042#issuecomment-3145429867\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">GitHub Comment<\/a><\/cite><\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">What if you use GiveWP?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Visit <strong>actions to be taken immediately<\/strong> :<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd04 1. update GiveWP to version 4.6.1<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The <strong>the only version that fixes<\/strong> this vulnerability.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd0d 2. Checks whether data may have been exposed<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">In concrete terms... If you had the plugin, then the risk is present as soon as a single visitor has been able to visit your site. The more popular the site, the greater the risk.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udce2 3. inform your users in the event of a leak<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Transparency = trust.<\/strong> If you have the slightest doubt about an actual leak, take the initiative:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Notify the donors concerned (email, notification, message on your website...)<\/li>\n\n\n\n<li>Give them simple advice: change their password if they have one, stay alert to phishing attempts, etc.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83c\udfdb\ufe0f 4. In France: Notify CNIL if necessary<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">If the leak represents a <strong>risk to rights and freedoms<\/strong> of the people involved (which is often the case with names + emails), <strong>you have 72 hours to declare it to the CNIL<\/strong> after becoming aware of it.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u26a0\ufe0f This is an obligation under the RGPD (Article 33).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u2795 If the risk is high, you must also <strong>inform those concerned directly<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">More on : <a href=\"https:\/\/www.cnil.fr\/fr\/notifier-une-violation-de-donnees-personnelles\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.cnil.fr\/fr\/notifier-une-violation-de-donnees-personnelles<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Impact at LRob<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">At LRob, only one site has this plugin, and the plugin is deactivated there.<br>I guess we still don't host enough associations.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">No impact to report, then.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Useful resources for further reading<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\ud83d\udd17 <a href=\"https:\/\/github.com\/impress-org\/givewp\/releases\/tag\/4.6.1\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Changelog GiveWP - version 4.6.1<\/a><\/li>\n\n\n\n<li>\ud83d\udd17 <a href=\"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/give\/givewp-donation-plugin-and-fundraising-platform-460-unauthenticated-donor-data-exposure\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Details of the flaw by WordFence<\/a><\/li>\n\n\n\n<li>\ud83d\udd17 <a href=\"https:\/\/github.com\/impress-org\/givewp\/issues\/8042\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">GitHub issue of the controversy<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">In conclusion: stay vigilant<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">A flaw like this reminds us that even the most popular plugins can carry risks.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\ud83d\udee1\ufe0f <strong>Protect your donors. Strengthen your security. Stay up-to-date.<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udca1 Need a hand with safety?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Tired of having to monitor every vulnerability, every plugin, every CVE?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">With the <a href=\"https:\/\/www.lrob.fr\/en\/web-hosting\/\">web hosting <strong>LRob<\/strong><\/a>, you benefit from <strong>automated monitoring<\/strong>, a <strong>real-time blocking<\/strong> and <strong>clear notifications<\/strong> when a problem is detected. If need be, we'll take care of everything for you thanks to the <a href=\"https:\/\/www.lrob.fr\/en\/services\/wordpress-webmastering\/\">webmastering offers<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\ud83d\udc49 All our services on <a class=\"\" href=\"https:\/\/www.lrob.fr\/en\/\">portal.lrob.fr\/<\/a> \ud83d\ude80\ud83d\udd12<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>","protected":false},"excerpt":{"rendered":"<p>A vulnerability in the GiveWP plugin exposes donor names and emails on thousands of WordPress sites. No login required. Find out what happened, why it's controversial... and most importantly, how to protect yourself.<\/p>","protected":false},"author":1,"featured_media":7841,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[41],"tags":[],"class_list":["post-7835","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-securite-wordpress"],"_links":{"self":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/posts\/7835","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/comments?post=7835"}],"version-history":[{"count":0,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/posts\/7835\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/media\/7841"}],"wp:attachment":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/media?parent=7835"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/categories?post=7835"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/tags?post=7835"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}