Stored Cross-Site Scripting in GiveWP Donation Plugin for WordPress
CVE-2025-7205
5.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 31 July 2025
What is CVE-2025-7205?
The GiveWP – Donation Plugin for WordPress is susceptible to stored cross-site scripting attacks via the donor notes parameter. This vulnerability arises from inadequate input sanitization and output escaping practices, enabling authenticated attackers with worker-level access to inject arbitrary web scripts into affected pages. The injected scripts may execute whenever a user accesses the compromised page. Furthermore, attackers could exploit this vulnerability by enticing an administrator into visiting a legacy version of the site, heightening the risk of unauthorized actions on the site.
Affected Version(s)
GiveWP – Donation Plugin and Fundraising Platform * <= 4.5.0