Security Alert Summary
The GiveWP plugin for WordPress is affected by a Cross-Site Request Forgery (CSRF) vulnerability (CVE-2026-11981). Missing nonce validation in the give_set_notification_status_handler() function makes it possible for an attacker to disable donation email notifications by tricking a site administrator into performing an action such as clicking a crafted link.
CVE Details
- CVE ID: CVE-2026-11981
- Affected component: GiveWP – Donation Plugin and Fundraising Platform (GiveWP plugin for WordPress)
- Affected versions: Versions up to and including 4.15.3
- Published: July 1, 2026 at 05:16:16 AM UTC
- Last modified: July 1, 2026 at 01:56:17 PM UTC
- CVSS v3.1: Base score 4.3, Severity MEDIUM, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- Authentication / privileges / user interaction: No privileges required (NONE); user interaction required (UI:R); attack vector NETWORK; attack complexity LOW
- Primary impact: Confidentiality: NONE; Integrity: LOW; Availability: NONE
- Weakness (CWE): CWE-352 (Cross-Site Request Forgery)
Technical Details
The vulnerability is a Cross-Site Request Forgery caused by missing nonce validation in the give_set_notification_status_handler() function. Because the handler does not verify a valid nonce, an attacker can construct a forged request that changes the donation email notification status. If an administrator (or another user with the required capability) is induced to visit the forged link or perform the crafted action, the attacker can disable donation-related email notifications without authenticating to the site.
The named function is the specific location identified in the report; the issue exists due to absent nonce checks on that handler. The practical impact is limited to the integrity of the email-notification setting (disabling notifications) rather than disclosure of sensitive data or denial of service.
How This Could Impact Your Website
Consider a small nonprofit using GiveWP where the site owner delegates day-to-day donor management to an internal staff member and an external contractor who helps with campaigns. If an attacker successfully tricks a staff member with administrator-level access into visiting a malicious link, donation notification emails could be disabled without obvious logs or immediate notice. Staff may stop receiving donation alerts and fail to acknowledge or process donation-related tasks promptly.
Practical consequences include missed donor communications, delayed administrative actions, and the potential for confusion between team members about who is handling donations. While this vulnerability does not indicate data exposure, the lack of通知ation could indirectly increase the opportunity for social engineering or targeted phishing attempts if attackers leverage timing or organizational gaps to impersonate staff or donors.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles and capabilities, especially accounts with contributor/editor/administrator privileges.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual changes to plugin settings or unexpected admin actions.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/give/tags/3.19.4/includes/admin/emails/ajax-handler.php#L24
- https://plugins.trac.wordpress.org/browser/give/tags/3.19.4/includes/admin/emails/ajax-handler.php#L25
- https://plugins.trac.wordpress.org/browser/give/tags/3.19.4/includes/admin/emails/ajax-handler.php#L32
- https://plugins.trac.wordpress.org/browser/give/tags/4.15.3/includes/admin/emails/ajax-handler.php#L24
- https://plugins.trac.wordpress.org/browser/give/tags/4.15.3/includes/admin/emails/ajax-handler.php#L25
- https://plugins.trac.wordpress.org/browser/give/tags/4.15.3/includes/admin/emails/ajax-handler.php#L32
- https://plugins.trac.wordpress.org/changeset/3573301/give/trunk/includes/admin/emails/ajax-handler.php
- https://plugins.trac.wordpress.org/changeset?old_path=%2Fgive/tags/4.15.3&new_path=%2Fgive/tags/4.15.4
- https://www.wordfence.com/threat-intel/vulnerabilities/id/49954c72-df0d-46ec-a252-8af84dea41bf?source=cve