CVE-2024-5941

Name of the Vulnerable Software and Affected Versions: GiveWP – Donation Plugin and Fundraising Platform versions up to, and including, 3.14.1

Description: The issue is related to unauthorized access and deletion of data due to a missing capability check on the handle request function. This allows authenticated attackers with Subscriber-level access and above to read attachment paths and delete attachment files.

Recommendations: For versions up to, and including, 3.14.1, update to a version higher than 3.14.1 to resolve the issue. As a temporary workaround, consider restricting access to the handle request function until a patch is available. Additionally, restrict access to attachment files to minimize the risk of exploitation.