GiveWP Privacy Incident: What Happened and What’s Next

A recent vulnerability in GiveWP exposed donor information – including names, email addresses, and donor IDs – in the source code of some websites using our plugin.

While this did not include payment information, passwords, or billing addresses (and it wasn’t visible to the average site visitor), we recognize the seriousness of any exposure of donor data.

We’re deeply sorry this happened. We take your trust in GiveWP seriously, and this incident fell short of the standards you deserve.

What’s worse is that we didn’t communicate it well, and we’re owning that. We framed the situation as “not that bad” and focused on how quickly we patched it – without taking full accountability or expressing the impact this could have on your donors. And to those who spoke up, we want to say: you were right to expect more from us.

What Happened

Our development team has been working hard to create an improved administrative experience with donor management and reporting. During that process, some legacy assumptions and older code patterns didn’t play well with newer React-based admin views and the WordPress REST API.

In short, donor data intended for use in admin screens was inadvertently exposed in public-facing page source code. In some cases, this bypassed GiveWP’s anonymous donation setting and could be accessed by someone who knew where to look.

On July 28th, we received a support inquiry about known vulnerabilities, but this was not identified as a new issue until July 29th, when we received a GitHub ticket with more details about this issue and confirmed the bug. Later that day, on July 29th, we released a patch (GiveWP 4.6.1). On July 30th, we notified users, but we now know that our messaging lacked transparency and empathy. Failing to fully acknowledge the impact — especially for donors that rely on anonymity — was a serious oversight.

What We’re Doing Differently

This incident has triggered a full audit of our internal processes at GiveWP and across StellarWP. This includes not just security practices but also how we handle communications around vulnerabilities.

Here are just some of the things we will be implementing:

Security Protocol Overhaul: We’re unifying on a clear, step-by-step security incident protocol – from intake to resolution to communication. This includes a private escalation path, a dedicated vulnerability triage team, and patching guidelines that involve Patchstack and avoid public exposure via GitHub.

Defined Communication Roles: Only designated team members will handle external communications about vulnerabilities. Messaging will be reviewed cross-functionally to ensure transparency, consistency, accuracy, and empathy.

Severity-Based Communication Plans: We’re developing a tiered response plan for how and when we alert users based on the severity and nature of an issue. Communications for issues such as this need to be faster, clearer, and handled with the seriousness they demand.

Cross-Team Training: All team members will be trained on the new protocol so they can respond appropriately, consistently, and confidently in security-related situations. This will ensure accurate information is shared and trust is maintained.

In addition, we’ll launch a dedicated /security page with clear guidance on how to report vulnerabilities, how to contact us securely by emailing security@stellarwp.com, and our broader security commitments.

What This Means For You

We recognize that you trust GiveWP with your mission – and, by extension, your donors. That trust must be earned and protected.

We failed to uphold that trust in how we handled this vulnerability and its aftermath, and we are committed to doing better.

If you updated to GiveWP 4.6.1, you’re protected from this issue. If you haven’t updated yet, we strongly encourage you to do so immediately.

How to Update:

1. Go to your WordPress Dashboard
2. Select Plugins > Installed Plugins
3. Locate GiveWP and review the update details
4. Click Update

The update will begin automatically; you should receive a confirmation message once complete.

For help updating, you can reach out to our Customer Support team.

To everyone who voiced frustration, pointed out gaps, or simply expected better: thank you. Your feedback is helping us become a better team and a better tool for the nonprofit community.

Please contact our Customer Success team if you have questions or concerns. We want to hear from you, and we’re learning from this and are committed to improving.