Pi-hole network Ad-Blocker reports data breach exposing 30,000 donors via a WordPress plugin vulnerability

Pi-hole, the widely-used network-level ad-blocking solution, is reporting a data breach that exposed donor personal information due to a security vulnerability in the GiveWP WordPress donation plugin. 

The incident affected users who contributed financial support to the open-source project through the organization's website donation system, making their sensitive information publicly visible to anyone with basic web browsing knowledge.

The breach was discovered on Monday, July 28, 2025, when Pi-hole donors began reporting suspicious email communications received at addresses they had used for donations to the project. 

The data exposure was caused by a vulnerability in the GiveWP WordPress plugin, which Pi-hole used to process donations on their website. The vulnerability made donor information publicly accessible without requiring authentication or special access privileges, with the data visible to anyone who viewed the webpage's source code.

As Pi-hole explained in their post-mortem analysis, "The names and email addresses of anyone that had ever donated via our donation page was there for the entire world to see (provided they were savvy enough to right click->View page source).

The breach affected approximately 30,000 donors according to the Have I Been Pwned data breach notification service, which added the Pi-hole incident to its database after the organization self-submitted the list of impacted individuals.