Overview
A high-severity Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-13206, has been discovered in the GiveWP – Donation Plugin and Fundraising Platform for WordPress. This vulnerability affects all versions up to, and including, 4.13.0. Due to insufficient input sanitization and output escaping of the ‘name’ parameter, an unauthenticated attacker can inject arbitrary web scripts into pages within your WordPress site. When a user accesses a page containing the injected script, the script will execute, potentially leading to account compromise, data theft, or other malicious activities.
Crucially, this vulnerability requires that avatars are enabled in your WordPress installation to be exploitable.
Technical Details
The vulnerability lies in the handling of the ‘name’ parameter during the donation process. Specifically, the ‘name’ field is not properly sanitized before being stored in the database. Subsequently, when this unsanitized data is displayed (e.g., on a donor wall), the injected script is executed.
The issue can be traced to these files (references relate to version 4.11.0 but are relevant to the vulnerability):
includes/class-give-donor.phpincludes/process-donation.phptemplates/shortcode-donor-wall.php
The vulnerable code does not adequately escape the ‘name’ parameter, allowing malicious JavaScript code to be injected.
CVSS Analysis
- CVE ID: CVE-2025-13206
- Severity: HIGH
- CVSS Score: 7.2
This CVSS score reflects the high potential impact of the vulnerability, considering the ease of exploitation (unauthenticated) and the potential for significant damage (arbitrary code execution).
Possible Impact
Successful exploitation of this vulnerability can lead to a range of severe consequences:
- Account Compromise: An attacker could potentially steal administrator cookies or credentials, gaining full control of the WordPress site.
- Data Theft: Sensitive information, such as donor details, could be exfiltrated.
- Malware Distribution: The injected script could redirect users to malicious websites or initiate drive-by downloads.
- Website Defacement: An attacker could modify the appearance and content of the website, damaging its reputation.
Mitigation and Patch Steps
The most important step is to immediately update the GiveWP plugin to the latest version. Check the WordPress plugin repository for the latest available version.
- Update GiveWP: Log in to your WordPress admin dashboard and navigate to “Plugins” > “Installed Plugins.” Locate the GiveWP plugin and click “Update Now.”
- Verify Update: After updating, confirm that you are running a version newer than 4.13.0.
- Consider a Security Scan: Run a thorough security scan of your WordPress site to detect any potential compromises that may have occurred before the update.
- Disable Avatars (If Necessary): As a temporary measure, if updating immediately is not possible, disabling avatars in your WordPress settings may mitigate the risk, as avatars are required for this vulnerability to be exploitable. Navigate to Settings -> Discussion and uncheck ‘Show Avatars’.