Stored Cross-Site Scripting Vulnerability in GiveWP Donation Plugin for WordPress
CVE-2025-13206

7.2HIGH

Key Information:

Vendor: WordPress
Status: GiveWP – Donation Plugin And Fundraising Platform
Vendor: CVE Published:; 19 November 2025

What is CVE-2025-13206?

The GiveWP Donation Plugin for WordPress exhibits a vulnerability allowing for Stored Cross-Site Scripting through the 'name' parameter in all versions up to and including 4.13.0. This weakness arises from inadequate input sanitization and output escaping, enabling unauthenticated attackers to insert arbitrary web scripts into pages. The exploitation becomes feasible when avatars are enabled in the WordPress installation, potentially compromising user interactions and site integrity.

Affected Version(s)

GiveWP – Donation Plugin and Fundraising Platform * <= 4.13.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/give/tags/4.11...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 19, 2025
Vulnerability Reserved
Nov 14, 2025

Credit

Angus Girvan

JSON