CVE-2025-11227
GiveWP – Donation Plugin and Fundraising Platform <= 4.10.0 - Missing Authorization to Unauthenticated Forms and Campaigns DisclosureThe GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.10.0 via the 'registerGetForm', 'registerGetForms', 'registerGetCampaign' and 'registerGetCampaigns' functions due to a missing capability check. This makes it possible for unauthenticated attackers to extract data from private and draft donation forms, as well as archived campaigns.
We have discovered 12,458 live websites that are affected by CVE-2025-11227.
Affected Software
| Product |  GiveWP |
| Category | Wordpress Plugins |
| Vulnerable Domains | 12,458 live websites (39% of GiveWP install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 234 versions ( 96% of all versions) |
Common Weakness Enumeration
CWE-285 Improper AuthorizationDetails
- Published - Oct 4, 2025
- Updated - Oct 6, 2025
Credits
- Rafshanzani Suhada (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-11227 United States | 5,569 websites |
 Germany | 938 websites |
 GB | 779 websites |
 Italy | 673 websites |
 France | 586 websites |
 India | 334 websites |
 Canada | 315 websites |
 Spain | 241 websites |
 Australia | 233 websites |
 Cyprus | 205 websites |
Website Distribution by TLD
Number of websites using CVE-2025-11227| .org | 5,127 websites |
| .com | 3,024 websites |
| .it | 443 websites |
| .de | 327 websites |
| .net | 216 websites |
| .org.uk | 211 websites |
| .fr | 173 websites |
| .ca | 173 websites |
| .co.uk | 154 websites |
| .nl | 104 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-11227
Top websites that are affected by CVE-2025-11227. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ****.info | United States | **,*** | |
| ***********.org | United States | **,*** | |
| *********.org | GB | **,*** | |
| ********.org | United States | **,*** | |
| ************.org | United States | **,*** | |
| **************.com | Australia | **,*** | |
| ******.info | Italy | **,*** | |
| ****************.com | United States | ***,*** | |
| **************.***.uk | GB | ***,*** | |
| *****.org | United States | ***,*** |
FAQ
CVE-2025-11227 is Improper Authorization in GiveWP
A total of 12,458 websites have been identified as vulnerable to CVE-2025-11227, based on global website indexing conducted by WebTechSurvey.
The GiveWP is affected by the CVE-2025-11227 vulnerability.
GiveWP versions up to and including 4.10 are vulnerable to CVE-2025-11227.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/54db1807-69ff-445c-9e02-9abce9fd3940?source=cve
- https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/DonationForms/Routes/DonationFormsEntityRoute.php#L82
- https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/API/REST/V3/Routes/Campaigns/RegisterCampaignRoutes.php#L91
- https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/API/REST/V3/Routes/Campaigns/RegisterCampaignRoutes.php#L60
- https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/DonationForms/Routes/DonationFormsEntityRoute.php#L52
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3371948%40give&new=3371948%40give&sfp_email=&sfph_mail=