CVE-2026-11981
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk5th percentile — higher than 5% of all known CVEs
Summary
The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 4.15.3. This is due to missing nonce validation on the give_set_notification_status_handler() function, allowing unauthenticated attackers to disable donation email notifications via a forged request.
Risk Assessment
The risk is that an attacker can trick a site administrator into clicking a link, which will disable donation email notifications without their knowledge. This could lead to delays in donation processing and loss of donor trust.
Recommendation
It is recommended to immediately update the GiveWP plugin to the latest available version that includes a fix for CSRF vulnerabilities. Additionally, consider implementing additional protection mechanisms such as anti-CSRF tokens in administrative forms.
Original NVD description (English source)
The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.15.3 This is due to missing nonce validation on the give_set_notification_status_handler() function. This makes it possible for unauthenticated attackers to disable donation email notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

