Full Report
In July 2025, a vulnerability in the GiveWP WordPress plugin exposed the names and email addresses of approximately 30k donors to the Pi-hole network-wide ad blocking project. Pi-hole subsequently self-submitted the list of impacted donors to HIBP.
Analysis Summary
# Incident Report: Pi-hole Donor Data Exposure via WordPress Plugin Vulnerability
## Executive Summary
In July 2025, Pi-hole experienced a data exposure incident where names and email addresses of approximately 30,000 donors were exposed due to a vulnerability within a GiveWP WordPress plugin used on their platform. The exposure was related to the donation system, not the core Pi-hole ad-blocking software infrastructure. Pi-hole proactively submitted the compromised list to "Have I Been Pwned" (HIBP) and recommended affected users update passwords and enable MFA.
## Incident Details
- Discovery Date: Unknown (Reported via HIBP submission on 31 Jul 2025)
- Incident Date: July 2025
- Affected Organization: Pi-hole
- Sector: Technology/Software (Ad-blocking Infrastructure)
- Geography: Not specified (Implied global user base)
## Timeline of Events
### Initial Access
- Date/Time: July 2025
- Vector: Vulnerability exploitation in the GiveWP WordPress plugin.
- Details: An unspecified vulnerability in the GiveWP plugin allowed attackers or malicious actors to access donor information associated with the Pi-hole WordPress site.
### Lateral Movement
- Not explicitly detailed, but the compromise appears contained to the database managed by the GiveWP plugin on the WordPress installation hosting the donor information.
### Data Exfiltration/Impact
- Compromised Data: Names and email addresses of approximately 30,000 donors.
### Detection & Response
- Detection: The incident was disclosed by Pi-hole through a post-mortem published on their blog, confirming the exposure and subsequent submission of the list to HIBP.
- Response Actions: Pi-hole submitted the data to HIBP and issued recommendations to affected users to change their passwords and enable Two-Factor Authentication (MFA).
## Attack Methodology
- Initial Access: Exploitation of a vulnerability within the GiveWP WordPress plugin.
- Persistence: Not applicable/Not detailed. The incident appears to be a data disclosure rather than a sustained network intrusion.
- Privilege Escalation: Not applicable/Not detailed.
- Defense Evasion: Not applicable/Not detailed.
- Credential Access: Not explicitly detailed, but the plugin vulnerability led to the exposure of stored personal information.
- Discovery: Not applicable.
- Lateral Movement: Not applicable.
- Collection: Access and retrieval of donor records stored via the GiveWP interface.
- Exfiltration: Not detailed, but the data was made public via HIBP submission.
- Impact: Disclosure of Personal Identifiable Information (PII) for donors.
## Impact Assessment
- Financial: Not specified.
- Data Breach: Names and Email Addresses of approximately 29,900 individuals.
- Operational: Minimal impact on the core Pi-hole network service, but required immediate response on the associated WordPress site/donation platform.
- Reputational: Moderate; required public disclosure and self-reporting to HIBP.
## Indicators of Compromise
- Network indicators: None provided (Defanged URLs related to response recommendations).
- File indicators: None provided.
- Behavioral indicators: Access to the GiveWP plugin database or related storage mechanism.
## Response Actions
- Containment measures: Not detailed, but assumed cessation of the vulnerability path used by the GiveWP exposure.
- Eradication steps: Not detailed, likely involved patching or removing the vulnerable plugin version.
- Recovery actions: Notifying affected parties via disclosure and recommending security hygiene changes (password changes, MFA adoption).
## Lessons Learned
- Third-party plugin security is a critical attack vector, even for ancillary services like donation tracking.
- The recommendation for users to change passwords suggests that users may have reused credentials across services.
## Recommendations
- Vendors relying on WordPress for auxiliary functions (like donations) must rigorously patch and review the security posture of all plugins used, especially those handling PII.
- Affected users should immediately change passwords for any accounts secured with the same credentials used on systems potentially interacting with the compromised data source.
- Users should enable Two-Factor Authentication (2FA) on all critical accounts, particularly those tied to email addresses involved in the breach.