CVE-2025-13206
📋 TL;DR
This vulnerability allows unauthenticated attackers to inject malicious JavaScript into WordPress sites using the GiveWP donation plugin. The stored XSS executes when users view pages containing the injected content, potentially compromising visitor accounts. All WordPress sites with GiveWP plugin versions up to 4.13.0 and avatars enabled are affected.
💻 Affected Systems
- GiveWP – Donation Plugin and Fundraising Platform for WordPress
📦 What is this software?
Givewp by Givewp
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over WordPress sites, redirect visitors to malicious sites, or deploy ransomware payloads to all site visitors.
Likely Case
Attackers will inject cryptocurrency miners, adware, or credential-stealing scripts that affect visitors and potentially compromise user accounts.
If Mitigated
With proper WAF rules and content security policies, script execution would be blocked, limiting impact to defacement or benign payloads.
🎯 Exploit Status
Technical details and proof-of-concept are publicly available. The vulnerability requires no authentication and minimal technical skill to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.13.1 and later
Vendor Advisory: https://wordpress.org/plugins/give/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find GiveWP plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 4.13.1+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable WordPress Avatars
allTemporarily disable user avatars in WordPress settings to prevent exploitation while patching.
Implement Content Security Policy
allAdd CSP headers to block inline script execution and restrict script sources.
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or add to wp-config.php: header("Content-Security-Policy: default-src 'self'; script-src 'self'");
🧯 If You Can't Patch
- Deploy a web application firewall (WAF) with XSS protection rules to block malicious payloads
- Disable the GiveWP plugin entirely until patching is possible
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → GiveWP version. If version is 4.13.0 or lower, you are vulnerable.Check Version:
wp plugin list --name=give --field=version (if WP-CLI installed) or check WordPress admin plugins pageVerify Fix Applied:
After updating, verify GiveWP version shows 4.13.1 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to donation endpoints with script tags in 'name' parameter
- Multiple failed donation submissions with JavaScript payloads
Network Indicators:
- HTTP requests containing <script> tags in donation form submissions
- Unusual traffic to donor wall pages from unexpected sources
SIEM Query:
source="wordpress.log" AND ("process-donation" OR "donor-wall") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")🔗 References
- https://plugins.trac.wordpress.org/browser/give/tags/4.11.0/includes/class-give-donor.php#L1135
- https://plugins.trac.wordpress.org/browser/give/tags/4.11.0/includes/process-donation.php#L1230
- https://plugins.trac.wordpress.org/browser/give/tags/4.11.0/templates/shortcode-donor-wall.php#L59
- https://plugins.trac.wordpress.org/changeset/3398128/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/95823720-e1dc-46c1-887b-ffd877b2fbe5?source=cve
