SQL Injection Vulnerability in Charitable Donation Plugin for WordPress
CVE-2025-11893

8.8HIGH

Key Information:

Vendor

WordPress
Status
Charitable – Donation Plugin For WordPress – Fundraising With Recurring Donations & More
Vendor
CVE Published:
25 October 2025

What is CVE-2025-11893?

The Charitable Donation Plugin for WordPress is susceptible to SQL injection through the donation_ids parameter. This vulnerability arises from inadequate user input sanitization and insufficient preparation of existing SQL queries. Authenticated users with Subscriber-level access and upwards can exploit this weakness to append unauthorized SQL queries, potentially compromising sensitive database information. To successfully exploit this vulnerability, attackers are required to perform a paid donation.

Affected Version(s)

Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More * <= 1.8.8.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/charitable/tru...
https://plugins.trac.wordpress.org/changeset/3382719/char...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Rafshanzani Suhada
JSON
.