Skip to main content

GiveWP CVE-2026-11981

| EUVDEUVD-2026-40905 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-01 Wordfence GHSA-7jgp-xppm-6ff3
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network-reachable CSRF with no attacker privileges, but admin click required (UI:R); impact confined to toggling a notification setting (I:L), no confidentiality or availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 05:33 vuln.today
CVE Published
Jul 01, 2026 - 04:32 nvd
MEDIUM 4.3

DescriptionCVE.org

The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.15.3 This is due to missing nonce validation on the give_set_notification_status_handler() function. This makes it possible for unauthenticated attackers to disable donation email notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

AnalysisAI

Cross-Site Request Forgery in GiveWP - Donation Plugin and Fundraising Platform (versions up to and including 4.15.3) allows unauthenticated remote attackers to disable donation email notifications by tricking a logged-in administrator into clicking a crafted link. The root cause is absent nonce validation in the give_set_notification_status_handler() AJAX handler, permitting forged state-changing requests. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft forged AJAX request targeting give_set_notification_status_handler
Delivery
Host payload on attacker-controlled page or embed in phishing email
Exploit
Trick authenticated WordPress admin into clicking link
Execution
Browser submits request with valid admin session cookie
Persist
Server processes request without nonce check
Impact
Donation email notifications silently disabled

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target WordPress site has GiveWP version 4.15.3 or earlier installed and active. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.3 (Medium) accurately reflects the bounded impact of this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious webpage or email containing an invisible auto-submitting HTML form that targets the GiveWP AJAX endpoint with parameters to disable donation email notifications. When a WordPress site administrator who is currently logged in visits or clicks the attacker-controlled link, the browser submits the forged request bearing the admin's valid session cookie, and the server processes it without nonce validation - silently disabling donation alerts. …
Remediation Upgrade GiveWP to version 4.15.4 or later; this is inferred as the patched release from the Trac changeset diff between tags 4.15.3 and 4.15.4 (https://plugins.trac.wordpress.org/changeset?old_path=%2Fgive/tags/4.15.3&new_path=%2Fgive/tags/4.15.4), though the exact fix version has not been independently confirmed via a formal vendor security advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11981 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy