A trusted name in open-source privacy software is facing tough questions after a recent data breach exposed donor names and email addresses. Here’s what happened, why it matters, and what you need to know.

What Happened?

On July 28, 2025, members of the Pi-hole community reported suspicious emails sent to addresses used only for Pi-hole donations. Pi-hole quickly traced the issue to a vulnerability in GiveWP, a widely used WordPress plugin that manages donations on their website.

Because of this flaw, donor names and email addresses were accessible in the website’s page source. Anyone with a basic understanding of web browsers could have seen this personal information without needing to log in. The vulnerability remained active for an unknown period before being discovered. Have I Been Pwned estimates that about 30,000 donors were affected, though Pi-hole has not provided an exact number.

What Data Was Exposed?

• Donor names and email addresses were leaked.
• No payment cards, passwords, or account credentials were exposed.
• All payments are processed separately by trusted providers like Stripe and PayPal, which were not affected.
• Pi-hole’s core ad-blocking software stays untouched. The breach only impacted the donation feature on the website.

What Caused the Vulnerability?

The GiveWP WordPress plugin, used by thousands of nonprofits and open-source projects, failed to secure donor information in this case. Sensitive details were included in the raw HTML of the donation management page, so anyone visiting could find them without special access.

The GiveWP team addressed the vulnerability within hours after it was reported on GitHub. However, Pi-hole criticized the developers for taking over 17 hours to notify affected customers, arguing that donor privacy required an immediate alert.

Who is Pi-hole?

Pi-hole is an open-source ad blocker that works at the network level by filtering DNS requests. It blocks ads, trackers, and malicious domains network-wide, protecting all connected devices. Originally built for Raspberry Pi hardware, Pi-hole now runs on multiple platforms and is widely used by privacy-minded individuals and organizations.

While Pi-hole’s software has a strong reputation, this event highlights the new risks that arise when essential functions like donations depend on third-party plugins.

How Did Pi-hole Respond?

• Released a public apology and a detailed post-mortem.
• Accepted responsibility for using the problematic plugin.
• Removed the flaw and patched their website quickly after being alerted.
• Emphasized renewed caution when adopting third-party tools.

In their statement, Pi-hole said, “We take full responsibility for the software we deploy. We placed our trust in a widely-used plugin, and that trust was broken.”

What Are the Bigger Implications?

• Security is about more than just your core product. Web plugins, forms, and add-ons can also create vulnerabilities.
• Donation platforms for nonprofits and open-source projects are frequent targets but often lack resources for security audits.
• Timely communication matters. Even with a fast patch, waiting to notify customers can leave them at greater risk.
• This is part of a larger trend, as other WordPress plugins and theme flaws have caused similar incidents recently.

Do Pi-hole Users Need to Worry?

If you only use Pi-hole software for ad blocking, there is no impact. This breach does not affect the DNS-based service itself. If you donated and provided a unique email for Pi-hole, you may want to watch for suspicious messages, but your financial and login credentials remain safe.

Key Takeaway

This incident is a reminder that strong security depends on every part of the technology stack, including third-party plugins. For users and donors, it underscores the value of careful data handling and vigilance in the connected world.

The post Pi-hole Data Breach Exposes Donor Emails Through WordPress Plugin Flaw appeared first on Centraleyes.

*** This is a Security Bloggers Network syndicated blog from Centraleyes authored by Rebecca Kappel. Read the original post at: https://www.centraleyes.com/pi-hole-data-breach-exposes-donor-emails/