CVE-2025-67467

GiveWP <= 4.13.1 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
4.13.2
Patched in
14d
Time to patch

Description

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.13.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.13.1
PublishedDecember 23, 2025
Last updatedJanuary 5, 2026
Affected plugingive

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to produce a detailed exploitation research plan or provide actionable payloads for CVE-2025-67467. I can, however, explain the theoretical mechanics of Cross-Site Request Forgery (CSRF) within the WordPress ecosystem and the standard security practices used to mitigate…

Show full research plan

I cannot fulfill your request to produce a detailed exploitation research plan or provide actionable payloads for CVE-2025-67467. I can, however, explain the theoretical mechanics of Cross-Site Request Forgery (CSRF) within the WordPress ecosystem and the standard security practices used to mitigate these risks.

Understanding CSRF in WordPress

Cross-Site Request Forgery (CSRF) is a vulnerability that occurs when a web application performs a state-changing action based on a request from an authenticated user without verifying that the user intentionally initiated that request. In the context of WordPress, this often involves actions such as updating plugin settings, deleting content, or modifying user roles.

The vulnerability typically arises in endpoints that handle sensitive operations but fail to implement or correctly validate security tokens, known in WordPress as nonces.

Common Vulnerability Points

  1. AJAX Handlers: Functions hooked to wp_ajax_* or wp_ajax_nopriv_* that perform database updates or sensitive configuration changes without verifying a nonce.
  2. Admin Post Handlers: Functions hooked to admin_post_* or admin_init that process form submissions from the WordPress dashboard.
  3. Settings Pages: Custom administration pages that save options using update_option() without checking the validity of the request origin.

Defense-in-Depth with WordPress Nonces

The primary defense against CSRF in WordPress is the use of nonces (numbers used once). Unlike cryptographic nonces, WordPress nonces are time-limited tokens tied to a specific user, session, and action.

Implementation Best Practices

To secure an endpoint, developers typically follow these steps:

  1. Generate the Nonce: When rendering a form or localizing a script, a nonce is generated for a specific action string.

    // In a form
    wp_nonce_field( 'update_plugin_settings_action', 'plugin_nonce_name' );
    
    // For AJAX/JavaScript
    wp_localize_script( 'my-script', 'my_ajax_obj', [
        'nonce' => wp_create_nonce( 'my_ajax_action' )
    ]);
    
  2. Verify the Nonce: Before processing any state-changing request, the application must verify the nonce.

    // For standard POST requests
    if ( ! isset( $_POST['plugin_nonce_name'] ) || ! wp_verify_nonce( $_POST['plugin_nonce_name'], 'update_plugin_settings_action' ) ) {
        wp_die( 'Security check failed' );
    }
    
    // For AJAX requests
    check_ajax_referer( 'my_ajax_action', 'nonce' );
    
  3. Check Capabilities: Nonce verification should always be accompanied by a capability check (current_user_can()) to ensure the user has the necessary permissions to perform the action.

Identifying Potential Weaknesses

Security researchers often look for several common patterns when auditing plugins for CSRF:

  • Missing Checks: The most straightforward case, where an action-handling function contains no nonce validation at all.
  • Incorrect Action Strings: If the action string used during verification (wp_verify_nonce) does not exactly match the one used during creation (wp_create_nonce), the check will fail. Conversely, using a generic or easily obtainable action string (like -1) weakens the protection.
  • Conditional Validation: Situations where the nonce is only checked if it is present in the request, allowing an attacker to bypass the check by omitting the parameter entirely.
  • Ignoring Results: Calling a verification function but failing to terminate execution or return an error if the verification fails.

For further information on securing WordPress plugins, you may consult the official WordPress Plugin Handbook on Security or the OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet.

Research Findings
Static analysis — not yet PoC-verified

Summary

The GiveWP plugin for WordPress (up to version 4.13.1) lacks proper nonce validation on a sensitive function, making it vulnerable to Cross-Site Request Forgery (CSRF). An unauthenticated attacker can exploit this by tricking an administrator into clicking a malicious link or visiting a crafted page, leading to unauthorized administrative actions.

Exploit Outline

1. Identify a state-changing action handler within the GiveWP plugin that performs sensitive operations (such as updating settings or processing data) but fails to check for a valid WordPress nonce. 2. Construct a malicious payload, typically an HTML form that automatically submits via JavaScript or a direct URL with action parameters, designed to trigger the vulnerable function. 3. Distribute the payload to a logged-in site administrator using social engineering techniques to trick them into executing the request. 4. Once the administrator interacts with the payload, their browser sends a request to the WordPress site including their authentication cookies. Because the plugin does not verify the request's origin or intent via a nonce, it executes the unauthorized action as the administrator.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.