The Donor Wall API endpoint should only be accessible from authenticated requests.
complete
Ben Meredith
Currently, the donor wall is available via a public API endpoint. It should not be.
Ideally, only authenticated requests from the front end of WordPress should ahve access to that endpoint.
Though this is not a security issue since none of the data on the endpoint would be qualified as sensitive information, but can be Personally Identifiable Information (PII).
Donors who select to be anonymous are not displayed on the Donor wall.
All of that to say, it still would make sense to resritct access to that endpoint, because some organizations may not use the Donor Wall at all, and currently that endpoint is publicly available regardless.
Ben Meredith
complete
This has been resolved in version 2.20 of GiveWP. Update to that, and you are all set!
Ravinder Kumar
ready for release
Kyle Johnson
in progress
Kyle Johnson
under review
Kyle Johnson
planned
Ben Meredith
under review
Our team is looking at this, relatively urgently.