Pi-hole Suffers Data Leak Due to WordPress Plugin Vulnerability

The developers behind Pi-hole, the widely used DNS-level ad blocker, have disclosed a data leak exposing the names and email addresses of thousands of donors. The breach stemmed from a vulnerability in the GiveWP WordPress plugin used on their donation page.

What Happened?

Pi-hole, originally designed for Raspberry Pi devices, now runs across a wide range of Linux systems, including virtual machines and dedicated servers. It blocks advertisements and trackers at the network level before they reach user devices.

On July 28, 2025, several users reported receiving suspicious emails sent to addresses they had used exclusively for Pi-hole donations—triggering concerns about a data breach.

An internal investigation confirmed that donor information was exposed via the website’s page source. No authentication or special tools were needed; the data was publicly accessible to anyone who viewed the HTML.

Scope of the Leak

• Impacted: All users who donated via Pi-hole’s web form, which was powered by the GiveWP plugin.
• Estimated exposure: Nearly 30,000 users, as reflected in the Have I Been Pwned database.
• Data exposed: Names and email addresses.
• Financial data unaffected: Payments were processed securely via Stripe and PayPal—no credit card or billing data was leaked.
• Pi-hole software itself: Remains unaffected. No compromise occurred to user installations.

Developer Response and Criticism

GiveWP responded quickly once notified—patching the vulnerability within hours of its disclosure on GitHub. However, Pi-hole's developers expressed frustration with how the situation was handled.

In their public statement, the Pi-hole team criticized GiveWP for:

• Waiting 17.5 hours before notifying affected users.
• Downplaying the severity of the issue in its public communications.

“We take full responsibility for the software we use,” Pi-hole stated.
“We trusted a widely adopted plugin, and that trust was broken.”

Key Takeaways

• Data breach, not a system breach: Pi-hole’s core product was not affected, but donor trust was impacted.
• Only emails and names exposed: No payment or password data involved.
• Third-party risk is real: Even well-supported plugins can introduce vulnerabilities.
• Phishing alert: Affected users are advised to monitor their inboxes and remain cautious of targeted phishing attempts.

As of today, Pi-hole has completely removed GiveWP from its infrastructure and is reviewing its donation system to ensure greater data privacy.