Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label donor information leak. Show all posts
WordPress plugin security flaw
Data Breach donor information leak GiveWP vulnerability Pi-hole ad blocker Pi-hole data breach WordPress plugin security flaw

Pi-hole Data Breach Exposes Donor Names and Emails via GiveWP Plugin Vulnerability

 

Pi-hole, a well-known network-level ad-blocker, has confirmed that a security flaw in the GiveWP WordPress donation plugin exposed donor names and email addresses.

Pi-hole functions as a DNS sinkhole, blocking unwanted content before it reaches users’ devices. Originally built for Raspberry Pi single-board computers, it now runs on multiple Linux distributions, both on dedicated hardware and virtual machines.

According to Pi-hole, the issue came to light on Monday, July 28, when donors reported receiving suspicious emails at addresses used solely for contributions. A post-mortem published Friday revealed that the breach impacted individuals who donated through Pi-hole’s official website. Due to a GiveWP vulnerability, personal details became visible to anyone viewing the page's source code—without requiring authentication or special permissions.

The GiveWP plugin, which facilitates donations on the Pi-hole site, inadvertently exposed this information. While Pi-hole did not specify the number of affected donors, data breach tracking service ‘Have I Been Pwned’ listed the incident, estimating that nearly 30,000 donors were impacted, with 73% of those email addresses already in its database.

No payment or financial details were compromised. Credit card and other transaction data are managed directly by Stripe and PayPal. Pi-hole stressed that its core software product was unaffected.

"We make it clear in the donation form that we don't even require a valid name or email address, it's purely for users to see and manage their donations," Pi-hole stated. "It is also important to note that Pi-hole the product is categorically not the subject of this breach. There is no action needed from users with a Pi-hole installed on their network."

Although GiveWP issued a patch within hours after the vulnerability was reported on GitHub, Pi-hole criticized the developer’s handling of the situation, citing a 17.5-hour delay in notifying users and insufficient acknowledgment of the exposure’s seriousness.

Pi-hole apologized to affected donors and acknowledged potential reputational harm. While describing the flaw as unforeseeable, the organization accepted responsibility for the consequences.

"The names and email addresses of anyone that had ever donated via our donation page was there for the entire world to see (provided they were savvy enough to right click->View page source). Within a couple of hours of this report, they had patched the bad code and released 4.6.1," Pi-hole noted.

"We take full responsibility for the software we deploy. We placed our trust in a widely-used plugin, and that trust was broken."
Read more »
Subscribe to: Posts (Atom)