CVE-2025-11228
GiveWP – Donation Plugin and Fundraising Platform <= 4.10.0 - Missing Authorization to Unauthenticated Forms-Campaign AssociationThe GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `registerAssociateFormsWithCampaign` function in all versions up to, and including, 4.10.0. This makes it possible for unauthenticated attackers to associate any donation forms with any campaign.
We have discovered 12,458 live websites that are affected by CVE-2025-11228.
Affected Software
| Product |  GiveWP |
| Category | Wordpress Plugins |
| Vulnerable Domains | 12,458 live websites (39% of GiveWP install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 234 versions ( 96% of all versions) |
Common Weakness Enumeration
CWE-862 Missing AuthorizationDetails
- Published - Oct 4, 2025
- Updated - Oct 6, 2025
Credits
- Rafshanzani Suhada (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-11228 United States | 5,569 websites |
 Germany | 938 websites |
 GB | 779 websites |
 Italy | 673 websites |
 France | 586 websites |
 India | 334 websites |
 Canada | 315 websites |
 Spain | 241 websites |
 Australia | 233 websites |
 Cyprus | 205 websites |
Website Distribution by TLD
Number of websites using CVE-2025-11228| .org | 5,127 websites |
| .com | 3,024 websites |
| .it | 443 websites |
| .de | 327 websites |
| .net | 216 websites |
| .org.uk | 211 websites |
| .fr | 173 websites |
| .ca | 173 websites |
| .co.uk | 154 websites |
| .nl | 104 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-11228
Top websites that are affected by CVE-2025-11228. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ****.info | United States | **,*** | |
| ***********.org | United States | **,*** | |
| *********.org | GB | **,*** | |
| ********.org | United States | **,*** | |
| ************.org | United States | **,*** | |
| **************.com | Australia | **,*** | |
| ******.info | Italy | **,*** | |
| ****************.com | United States | ***,*** | |
| **************.***.uk | GB | ***,*** | |
| *****.org | United States | ***,*** |
FAQ
CVE-2025-11228 is Missing Authorization in GiveWP
A total of 12,458 websites have been identified as vulnerable to CVE-2025-11228, based on global website indexing conducted by WebTechSurvey.
The GiveWP is affected by the CVE-2025-11228 vulnerability.
GiveWP versions up to and including 4.10 are vulnerable to CVE-2025-11228.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ddf9a043-5eb6-46fd-88c2-0f5a04f73fc9?source=cve
- https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/DonationForms/Routes/DonationFormsEntityRoute.php#L131
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3371948%40give&new=3371948%40give&sfp_email=&sfph_mail=