💥 GiveWP data leak: over 100,000 WordPress sites affected

GiveWP donation plugin hit by information exposure flaw

A vulnerability in the plugin GiveWP exposes donor names and emails on thousands of WordPress sites. No login required. Find out what happened, why it's causing such a stir... and above all, how to protect yourself.

What are the practical consequences?

If you use GiveWP, you should know that this flaw allows an ordinary visitor to collect information from your donors. And we're talking about sensitive personal data here: first name, surname, email address, donor ID, etc.

➡️ Direct risks :

• Violation of RGPD
• Fraud targeted (phishing, identity theft)
• Loss of confidence of your donors

(Very) strong reactions on Github

The community was quick to react, and not gently.

La Github page for this problem was inundated with messages of dissatisfaction, some of them furious. Support reportedly ignored the problem at first.

Each intervention by the Community Manager results in a shower of downvotes 👎.

One user sums it up: «This was not a minor issue. This was a massive security and privacy issue ?« 

The difficulty then, of course, is for everyone to manage the data leakage from their disgruntled customers...

«We, as the responsible party, self-reported to Troy Hunt and HIBP so they could notify the donor affected. I am receiving emails from rightfully upset donors that do not care that GiveWP was the cause of the leak, they care the Pi-hole had their data, Pi-hole caused their data to be released and thus Pi-hole will be responsible for their damages. We are getting threats of action against us under GDPR.»

dschaper - From GitHub Comment

What if you use GiveWP?

Visit actions to be taken immediately :

🔄 1. update GiveWP to version 4.6.1

It is the only version that fixes this vulnerability.

🔍 2. Checks whether any data may have been exposed

In concrete terms... If you had the plugin, then the risk is present as soon as a single visitor has been able to visit your site. The more popular the site, the greater the risk.

📢 3. inform your users in the event of a leak

Transparency = trust. If you have the slightest doubt about an actual leak, take the initiative:

• Notify the donors concerned (email, notification, message on your website...)
• Give them some simple advice: change their password if they have one, be on the lookout for phishing attempts, etc.

🏛️ 4. In France: Notify the CNIL if necessary

If the leak represents a risk to rights and freedoms of the people concerned (which is often the case with names + emails), you have 72 hours to declare it to the CNIL after becoming aware of it.

⚠️ This is an obligation under the RGPD (article 33).

➕ If the risk is high, you should also inform those concerned directly.

Find out more about : https://www.cnil.fr/fr/notifier-une-violation-de-donnees-personnelles

Impact at LRob

At LRob, only one site has this plugin, and the plugin is deactivated there.
I guess we still don't host enough associations.

No impact to report, then.

Useful resources for further reading

• 🔗 Changelog GiveWP - version 4.6.1
• 🔗 Details of the flaw by WordFence
• 🔗 GitHub issue of the controversy

In conclusion: remain vigilant

A flaw like this reminds us that even the most popular plugins can carry risks.

🛡️ Protect your donors. Strengthen your security. Stay up-to-date.

💡 Need a hand with security?

Tired of having to monitor every vulnerability, every plugin, every CVE?

With the web hosting LRob, you benefit from a automated surveillance, a real-time blocking and clear notifications when a problem is detected. If need be, we'll take care of everything for you thanks to the webmastering offers.

👉 All our services on portal.lrob.fr/ 🚀🔒