Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Network-reachable CSRF with no attacker privileges, but admin click required (UI:R); impact confined to toggling a notification setting (I:L), no confidentiality or availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.15.3 This is due to missing nonce validation on the give_set_notification_status_handler() function. This makes it possible for unauthenticated attackers to disable donation email notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AnalysisAI
Cross-Site Request Forgery in GiveWP - Donation Plugin and Fundraising Platform (versions up to and including 4.15.3) allows unauthenticated remote attackers to disable donation email notifications by tricking a logged-in administrator into clicking a crafted link. The root cause is absent nonce validation in the give_set_notification_status_handler() AJAX handler, permitting forged state-changing requests. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target WordPress site has GiveWP version 4.15.3 or earlier installed and active. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 4.3 (Medium) accurately reflects the bounded impact of this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious webpage or email containing an invisible auto-submitting HTML form that targets the GiveWP AJAX endpoint with parameters to disable donation email notifications. When a WordPress site administrator who is currently logged in visits or clicks the attacker-controlled link, the browser submits the forged request bearing the admin's valid session cookie, and the server processes it without nonce validation - silently disabling donation alerts. … |
| Remediation | Upgrade GiveWP to version 4.15.4 or later; this is inferred as the patched release from the Trac changeset diff between tags 4.15.3 and 4.15.4 (https://plugins.trac.wordpress.org/changeset?old_path=%2Fgive/tags/4.15.3&new_path=%2Fgive/tags/4.15.4), though the exact fix version has not been independently confirmed via a formal vendor security advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Stored Cross-Site Scripting in GiveWP versions up to and including 4.16.0 allows authenticated attackers with author-lev
Stored XSS in GiveWP's Sequoia donation template allows authenticated attackers with give worker-level access to inject
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40905
GHSA-7jgp-xppm-6ff3