GiveWP < 4.13.2 – Unauthenticated Arbitrary Shortcode Execution | CVE 2025-66533 | Plugin Vulnerabilities

Description

The The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.13.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Affects Plugins

Fixed in 4.13.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/b9860e0e-e330-42fc-8a74-336ceb787f39

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Kishan Vyas

Verified

No

WPVDB ID

3d8f4752-888f-45e3-8232-ca65078bdc98

Timeline

Publicly Published

2026-01-08 (about 4 months ago)

Added

2026-01-13 (about 3 months ago)

Last Updated

2026-01-13 (about 3 months ago)

Other

Published

Title

Published

2025-01-29

Title

Contact Form & SMTP Plugin for WordPress by PirateForms < 2.6.1 - Unauthenticated Arbitrary Shortcode Execution

Published

2025-04-09

Title

ORDER POST <= 2.0.2 - Unauthenticated Arbitrary Shortcode Execution

Published

2024-03-13

Title

WP Fusion Lite < 3.42.10 - Authenticated (Contributor+) Remote Code Execution

Published

2025-04-25

Title

Create custom forms for WordPress with a smart form plugin for smart businesses <= 1.2.4 - Unauthenticated Arbitrary Shortcode Execution

Published

2023-09-19

Title

File Manager Pro < 1.8.1 - Admin+ Remote Code Execution