Vulnerability Description
The GiveWP plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions up to, and including, 2.20.2 via the /donor-wall REST-API endpoint which provides unauthenticated users with donor information even when the donor wall is not enabled. This functionality has been completely removed in version 2.20.2.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Givewp | Givewp | <= 2.20.2 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset/2743833/give/tags/2.21.0/includes/aThird Party Advisory
- https://www.wordfence.com/threat-intel/vulnerabilities/id/addae413-1fc5-427f-a5e
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2117Third Party Advisory
- https://plugins.trac.wordpress.org/changeset/2743833/give/tags/2.21.0/includes/aThird Party Advisory
- https://www.wordfence.com/threat-intel/vulnerabilities/id/addae413-1fc5-427f-a5e
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2117Third Party Advisory
FAQ
What is CVE-2022-2117?
CVE-2022-2117 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The GiveWP plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions up to, and including, 2.20.2 via the /donor-wall REST-API endpoint which provides unauthenticated users wi...
How severe is CVE-2022-2117?
CVE-2022-2117 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-2117?
Check the references section above for vendor advisories and patch information. Affected products include: Givewp Givewp.