GiveWP: Cyber-Secure Philanthropy: Tech Infrastructure for Global Donations

Nonprofits Face Growing Cybersecurity Risks in Donation Infrastructure

Nonprofit organizations, which handle vast sums of cross-border donations, are increasingly targeted by cybercriminals due to under-resourced and often outdated payment infrastructure. Unlike banks or fintech firms, charities rarely have dedicated security teams, making them predictable targets for ransomware, data scraping, and payment skimming attacks.

Common Attack Vectors

1. SQL Injection – Vulnerabilities in donation platforms like GiveWP and Charitable have exposed nonprofits to unauthenticated SQL injection attacks, such as CVE-2021-24917 in GiveWP.
2. Formjacking – Magecart Group 5 compromised shared CDN resources, injecting malicious scripts into donation pages to silently steal card data before transactions completed.
3. API Exposure – Poorly secured APIs and misconfigured third-party integrations create additional entry points for attackers.

Blockchain as an Alternative

Crypto-based donation platforms (e.g., Gitcoin, The Giving Block) offer a different security model by moving transactions on-chain, reducing reliance on vulnerable web servers. While crypto eliminates card data theft and formjacking risks, it introduces new threats like smart contract exploits and wallet phishing. However, for organizations in conflict zones or high-scrutiny environments, crypto’s resistance to chargebacks and fund freezes can be operationally advantageous.

Compliance Gaps: PCI DSS and GDPR

Many nonprofits mistakenly assume that using payment processors like Stripe exempts them from PCI DSS compliance. However, PCI DSS v4.0 (mandatory since April 2024) still applies, and improper integrations such as embedding unvalidated donation widgets can expand compliance scope unknowingly.

GDPR enforcement has also targeted nonprofits, not just for breaches but for poor data hygiene, such as retaining donor records longer than necessary. Cross-border campaigns, like those for Ukraine relief, have exposed regulatory challenges, including OFAC screening and local registration requirements.

Closing the Security Gaps

Most exploits stem from unpatched vulnerabilities, exposed API keys, and unaudited third-party scripts issues that require vigilance rather than large budgets. Simple measures like Content Security Policy (CSP) headers, Subresource Integrity (SRI) checks, and automated dependency audits can significantly reduce risks.

The core issue isn’t technical limitations but implementation. Nonprofits often lack the resources to secure their infrastructure, leaving long-standing vulnerabilities unaddressed. Attackers exploit these gaps systematically, targeting the same weaknesses year after year.

Source: https://hackread.com/cyber-secure-philanthropy-tech-infrastructure-global-donations/

GiveWP cybersecurity rating report: https://www.rankiteo.com/company/givewp

"id": "GIV1777898417",
"linkid": "givewp",
"type": "Vulnerability",
"date": "4/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 'donors',
                        'industry': 'charity/philanthropy',
                        'location': 'global (cross-border donations)',
                        'type': 'nonprofit organizations'}],
 'attack_vector': ['SQL injection',
                   'formjacking',
                   'API exposure',
                   'malicious scripts',
                   'unpatched vulnerabilities',
                   'exposed API keys',
                   'unaudited third-party scripts'],
 'data_breach': {'data_exfiltration': 'yes (via formjacking)',
                 'personally_identifiable_information': 'yes',
                 'sensitivity_of_data': 'high (payment information, PII)',
                 'type_of_data_compromised': ['card data',
                                              'donor records',
                                              'personally identifiable '
                                              'information']},
 'description': 'Nonprofit organizations handling cross-border donations are '
                'increasingly targeted by cybercriminals due to '
                'under-resourced and outdated payment infrastructure. Common '
                'attack vectors include SQL injection, formjacking, and API '
                'exposure, leading to ransomware, data scraping, and payment '
                'skimming attacks. Compliance gaps in PCI DSS and GDPR further '
                'exacerbate risks.',
 'impact': {'brand_reputation_impact': 'potential loss of donor trust',
            'data_compromised': ['card data', 'donor records'],
            'identity_theft_risk': 'high (due to card data exposure)',
            'legal_liabilities': ['PCI DSS violations', 'GDPR violations'],
            'operational_impact': ['disruption of donation processing',
                                   'regulatory scrutiny'],
            'payment_information_risk': 'high (due to formjacking and '
                                        'skimming)',
            'systems_affected': ['donation platforms (GiveWP, Charitable)',
                                 'payment processors (Stripe)',
                                 'crypto-based donation platforms']},
 'lessons_learned': 'Most exploits stem from unpatched vulnerabilities, '
                    'exposed API keys, and unaudited third-party scripts. '
                    'Nonprofits lack resources to secure infrastructure, '
                    'leading to systematic exploitation of long-standing '
                    'vulnerabilities.',
 'motivation': ['financial gain', 'data theft'],
 'post_incident_analysis': {'corrective_actions': ['implement CSP headers',
                                                   'use SRI checks',
                                                   'automate dependency audits',
                                                   'patch vulnerabilities',
                                                   'secure API keys',
                                                   'audit third-party scripts'],
                            'root_causes': ['unpatched vulnerabilities',
                                            'exposed API keys',
                                            'unaudited third-party scripts',
                                            'lack of dedicated security '
                                            'teams']},
 'recommendations': ['Implement Content Security Policy (CSP) headers',
                     'Use Subresource Integrity (SRI) checks',
                     'Conduct automated dependency audits',
                     'Patch vulnerabilities promptly',
                     'Secure API keys',
                     'Audit third-party scripts',
                     'Comply with PCI DSS v4.0 and GDPR'],
 'references': [{'source': 'CVE-2021-24917 (GiveWP)'}],
 'regulatory_compliance': {'regulations_violated': ['PCI DSS v4.0', 'GDPR']},
 'response': {'containment_measures': ['Content Security Policy (CSP) headers',
                                       'Subresource Integrity (SRI) checks',
                                       'automated dependency audits'],
              'remediation_measures': ['patching vulnerabilities',
                                       'securing API keys',
                                       'auditing third-party scripts']},
 'threat_actor': ['Magecart Group 5'],
 'title': 'Nonprofits Face Growing Cybersecurity Risks in Donation '
          'Infrastructure',
 'type': ['ransomware',
          'data scraping',
          'payment skimming',
          'SQL injection',
          'formjacking',
          'API exposure'],
 'vulnerability_exploited': ['CVE-2021-24917 (GiveWP)',
                             'shared CDN resources',
                             'misconfigured third-party integrations',
                             'unpatched vulnerabilities']}