The developers of the popular ad blocker Pi-hole warned that the names and email addresses of everyone who donated to the project were exposed due to a bug in the GiveWP plugin for WordPress.
Pi-hole operates at the DNS level and sinkholes unwanted content before it reaches users’ devices. Initially, the tool was designed for Raspberry Pi single-board computers, but now it supports various Linux systems, both on dedicated hardware and virtual machines.
According to the developers, they learned about the issue on Monday, July 28, 2025, when users began complaining about suspicious emails being sent to addresses they used solely for Pi-hole donations.
It turns out that the data leak affected users who had ever donated funds to the project through a form on the Pi-hole website. Due to a vulnerability in the GiveWP plugin, which was used for fundraising, their personal data could be seen by anyone simply by viewing the source code of the page (without any authentication or special tools).
Although Pi-hole did not specify the exact number of those affected, the data breach aggregator Have I Been Pwned has already added the incident to its database, indicating that the issue impacted nearly 30,000 people.
In their statement, the developers emphasized that users’ financial information (such as bank card data) was not compromised, as all payments were processed directly through Stripe and PayPal. It was also clarified that the leak does not affect the Pi-hole tool itself.
“In the donation form, we explicitly state that users are not required to provide even their real name or email. These details are solely for users to manage their donations later,” the developers’ statement reads. “It is important to note: the Pi-hole product is not affected by this incident. Users who have it installed do not need to take any action.”
Although the creators of GiveWP released a patch a few hours after the information about the bug was posted on GitHub, Pi-hole criticized the plugin developers for notifying users about the issue only after 17.5 hours and for not taking the potential consequences of this vulnerability “seriously enough.”
“We take full responsibility for the software we use. We trusted a widely used plugin, and that trust was compromised,” conclude the authors of Pi-hole.