WordPress Plugin Vulnerabilities

Give <= 2.5.0 - SQL Injection

Description

A SQL injection vulnerability exists in the Impress GiveWP Give plugin through 2.5.0 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via includes/payments/class-payments-query.php or includes/donors/class-give-donors-query.php

Affects Plugins

Plugin icon
give
Fixed in 2.5.1

References

CVE
CVE-2019-13578
URL
https://fortiguard.com/zeroday/FG-VD-19-098
URL
https://www.fortinet.com/blog/threat-research/wordpress-plugin-sql-injection-vulnerability.html

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Tin Duong of Fortinet's FortiGuard Labs
Verified
No
WPVDB ID
57f5eb45-234d-42d6-8ee4-0997667eb7f9

Timeline

Publicly Published
2019-08-12 (about 6 years ago)
Added
2019-08-12 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2025-04-22
Title
Message Filter for Contact Form 7 < 1.6.33 - Authenticated (Administrator+) SQL Injection
Published
2025-11-05
Title
Easy Email Subscription < 1.3.1 - Authenticated (Admin+) SQL Injection via uid
Published
2025-07-28
Title
Bricks Builder < 2.0 - Unauthenticated SQL Injection via `p` Parameter
Published
2025-12-04
Title
My auctions allegro < 3.6.33 - Unauthenticated SQL Injection via auction_id
Published
2026-03-06
Title
Community Events < 1.5.9 - Authenticated (Administrator+) SQL Injection via 'ce_venue_name' CSV Field