CVE-2025-67467

A Cross-Site Request Forgery (CSRF) vulnerability exists in the GiveWP plugin for WordPress, affecting versions from n/a through 4.13.1. The flaw stems from insufficient validation of HTTP requests, enabling an attacker to trick a logged-in administrator or other privileged user into inadvertently executing actions without their consent [1].

Exploitation requires user interaction: the victim must click a malicious link, visit a crafted page, or submit a specially designed form while authenticated. The attacker does not need any special privileges beyond crafting the malicious payload. This is a classic server-side CSRF pattern where the victim's browser sends the forged request with their valid session cookies [1].

If successfully exploited, an attacker could force the victim to perform unwanted actions under the victim's current authentication level—such as changing plugin settings, creating new donation forms, or modifying existing data. While the CVSS score of 5.4 indicates medium severity, the impact is constrained to actions the victim is authorized to perform [1].

The vulnerability has been addressed in GiveWP version 4.13.2. Users are strongly advised to update immediately. Patchstack also recommends enabling auto-updates for vulnerable plugins. No workaround is mentioned beyond updating [1].