CVE-2019-20360

Name of the Vulnerable Software and Affected Versions Give versions prior to 2.5.5

Description A flaw in the Give WordPress plugin allowed unauthenticated users to bypass API authentication methods, accessing personally identifiable user information (PII), including names, addresses, IP addresses, and email addresses. By setting an API key to any meta key value from the wp usermeta table and the token to the corresponding MD5 hash of the meta key selected, an attacker could make a request to restricted endpoints, thus accessing sensitive donor data.

Recommendations For versions prior to 2.5.5, update to version 2.5.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the wp usermeta table and the affected API endpoints until the update is applied. Avoid using the meta key value from the wp usermeta table as an API key until the issue is resolved.