In July 2025, the popular network-level ad-blocking project Pi-hole disclosed a significant data breach that exposed the personal information of approximately 30,000 donors. This incident, caused by a vulnerability in the GiveWP WordPress plugin, serves as a stark reminder of the security risks inherent in third-party plugin dependencies.
What Happened: The Pi-hole Data Breach Timeline
The Pi-hole team first became aware of the security incident on Monday, July 28, 2025, when they received reports from users about suspicious emails. The breach was traced to a critical vulnerability in the GiveWP WordPress donation plugin used on their website.
Key Timeline Events:
- July 28, 2025: Pi-hole team alerted to potential breach via user reports on Reddit and their Discourse forum
- July 29, 2025: GiveWP releases security patch (version 4.6.1)
- July 30, 2025: Pi-hole publishes detailed post-mortem analysis
- July 30, 2025: Breach data submitted to Have I Been Pwned
Have I Been Pwned Statistics: By the Numbers
According to Have I Been Pwned, the Pi-hole data breach affected 29,926 accounts. The breach entry on HIBP shows that approximately 30,000 donors were affected, with 73% of the exposed records already in the database.
Breach Statistics:
- Compromised Accounts: 29,926 donors
- Data Types Exposed: Names and email addresses only
- Breach Date: July 2025
- Verification Status: Verified and self-submitted by Pi-hole
- Database Overlap: 73% of records were already in HIBP from previous breaches
This breach ranks among the more significant WordPress plugin-related security incidents of 2025, highlighting the ongoing challenges in WordPress ecosystem security.
What Data Was Compromised (And What Wasn’t)
The Pi-hole team was transparent about the scope of the breach in their official post-mortem:
Exposed Information:
- Donor names provided during donation process via the form at pi-hole.net/donate
- Email addresses used for donations
Protected Information:
- Credit card numbers and payment details (stored by Stripe/PayPal)
- Verified names and addresses
- Phone numbers
- Pi-hole software installations (unaffected)
Importantly, the Pi-hole software itself was not compromised. Users with Pi-hole installations on their networks do not need to take any action regarding their ad-blocking setup.
The GiveWP WordPress Plugin Vulnerability
The root cause was a security flaw in the GiveWP plugin version 4.6.0 that made donor information publicly accessible through the website’s source code. The plugin inadvertently made donor information publicly accessible without requiring authentication or special access privileges.
Technical Details:
- Vulnerable Plugin: GiveWP (WordPress donation plugin)
- Affected Version: 4.6.0
- Attack Vector: PII Sensitive Data Exposure via source code exposure
- Fix Released: Version 4.6.1 (patched within hours of public disclosure)
- Vulnerability Report: GitHub issue #8042 (archived)
This isn’t the first security issue with GiveWP. The plugin has had previous vulnerabilities including CVE-2024-5932 and CVE-2025-2025, highlighting ongoing security challenges with the popular donation plugin.
WordPress Security Context: A Growing Concern
This incident occurs against a backdrop of increasing WordPress security challenges. Recent data shows that 81 new plugin vulnerabilities emerged in the WordPress ecosystem in just the first week of January 2025, with 6 of the vulnerable plugins remaining unpatched.
The Pi-hole breach exemplifies a critical issue in WordPress security: the reliance on third-party plugins that may have security flaws. Security monitoring services like Patchstack and WPScan regularly identify vulnerabilities in popular WordPress plugins.
Pi-hole’s Response and Lessons Learned
The Pi-hole team’s response demonstrates both transparency and accountability through their detailed post-mortem:
- Immediate Investigation: Quick response to user reports
- Full Disclosure: Detailed technical analysis with screenshots and evidence
- Responsibility: Acceptance of responsibility despite third-party cause
- Proactive Reporting: Self-submission to Have I Been Pwned
However, the team expressed disappointment with GiveWP’s response, citing:
- 17.5-hour delay between patch release and official notification
- Downplaying of the security impact
- Insufficient communication about the vulnerability’s scope
Implications for Website Administrators
This breach offers several critical lessons for WordPress site administrators:
Security Best Practices:
- Regular Plugin Audits: Use tools like WPScan to monitor plugin vulnerabilities
- Minimal Plugin Usage: Only install necessary plugins from reputable developers
- Security Monitoring: Implement services like Wordfence or Sucuri for threat detection
- Vendor Communication: Establish clear communication channels with plugin developers
- Incident Response Planning: Prepare procedures for potential security incidents
WordPress Security Resources:
- WordPress Security Team
- WP Vulnerability Database
- Patchstack Vulnerability Research
- National Vulnerability Database (NVD)
Protecting Your Data: What Donors Should Do
If you donated to Pi-hole and received the breach notification:
- Check Your Exposure: Visit Have I Been Pwned to see if your email appears in this or other breaches
- Monitor Your Email: Watch for increased spam or phishing attempts
- Use Unique Passwords: Ensure your email account uses a strong, unique password with a password manager
- Enable 2FA: Add two-factor authentication to important accounts
- Stay Vigilant: Be cautious of emails claiming to be from Pi-hole or related services
The Broader WordPress Security Landscape
The Pi-hole incident reflects broader challenges in WordPress security:
- Plugin Ecosystem Risks: The vast WordPress plugin directory creates numerous potential attack vectors
- Developer Response Times: Inconsistent security response times across plugin developers
- Disclosure Practices: Varying approaches to vulnerability disclosure and user notification
- Regulatory Pressure: Increasing regulatory scrutiny of software security practices
Moving Forward: WordPress Security Trends
As we move through 2025, website administrators should prepare for:
- Increased Regulation: Stricter security compliance requirements
- Enhanced Monitoring: More sophisticated security monitoring tools
- Plugin Vetting: Stricter evaluation criteria for third-party plugins using security scanning tools
- Rapid Response: Faster patch deployment and incident response procedures
Related Security Incidents
This breach is part of a broader trend of WordPress plugin vulnerabilities in 2025:
- WordPress “Alone” theme vulnerability (CVE-2025-5394)
- Multiple WordPress core vulnerabilities including CVE-2025-1123
- Previous GiveWP security issues
Conclusion
The Pi-hole data breach serves as a crucial reminder that even well-intentioned organizations can fall victim to third-party security vulnerabilities. While the exposed data was limited to names and email addresses, the incident highlights the importance of comprehensive security practices in WordPress environments.
For the broader WordPress community, this breach underscores the need for:
- Better plugin security standards and vulnerability disclosure processes
- Enhanced incident response capabilities
- Stronger vendor accountability
- Proactive security monitoring with tools like Patchstack and WPScan
As WordPress continues to power over 40% of the internet, incidents like this emphasize the critical importance of treating security as a shared responsibility across the entire ecosystem.
Resources and Further Reading:
- Pi-hole Official Post-Mortem
- Have I Been Pwned: Pi-hole Breach
- GiveWP Plugin Security Advisory
- WordPress Security Best Practices
- BleepingComputer Coverage
Stay informed about the latest security incidents and protect your digital assets by following WordPress security news and implementing proper cybersecurity hygiene practices.