WordPress Plugin Vulnerabilities

Donation <= 1.0 - Admin+ SQLi

Description

The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users, such as admin to perform SQL injection attacks

Proof of Concept

Affects Plugins

Plugin icon
donation
No known fix

References

CVE
CVE-2025-13001

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Yousof Nahya
Submitter
Yousof Nahya
Submitter website
https://linkedin.com/in/yousof-nahya/
Verified
Yes
WPVDB ID
4e7a8154-46bf-44c9-ad9a-273e99ae2104

Timeline

Publicly Published
2025-11-11 (about 2 months ago)
Added
2025-11-11 (about 2 months ago)
Last Updated
2025-11-11 (about 2 months ago)

Other

Published
Title
Published
2022-10-03
Title
Blog2Social < 6.9.10 - Subscriber+ SQLi
Published
2023-10-30
Title
Wp anything slider < 9.2 - Authenticated (Subscriber+) SQL Injection via Shortcode
Published
2020-09-11
Title
10Web Social Post Feed < 1.1.27 - Authenticated SQL Injection
Published
2025-01-13
Title
Course Booking System < 6.0.7 - Unauthenticated SQL Injection
Published
2021-01-03
Title
Contact Form Submissions < 1.7.1 - Authenticated SQL Injection