WordPress Plugin Vulnerabilities

GiveWP – Donation Plugin and Fundraising Platform < 4.6.0 - Authenticated (GiveWP worker+) Stored Cross-Site Scripting

Description

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the donor notes parameter in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with GiveWP worker-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Additionally, they need to trick an administrator into visiting the legacy version of the site.

Affects Plugins

Plugin icon
give
Fixed in 4.6.0

References

CVE
CVE-2025-7205
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/39e501d8-88a0-4625-aeb0-aa33fc89a8d4

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Brian Sans-Souci (liardom)
Verified
No
WPVDB ID
fda8eaea-ca20-417a-896b-49c1fa0a1c07

Timeline

Publicly Published
2025-07-30 (about 9 months ago)
Added
2025-07-30 (about 9 months ago)
Last Updated
2025-07-31 (about 9 months ago)

Other

Published
Title
Published
2025-11-04
Title
Spectra < 2.19.15 - Contributor+ Stored XSS via Custom CSS
Published
2022-04-26
Title
Turn off all comments <= 1.0 - Reflected Cross-Site Scripting
Published
2015-11-24
Title
Websimon Tables <= 1.3.4 - Authenticated Reflected Cross-Site Scripting (XSS)
Published
2025-12-31
Title
The Moneytizer < 10.0.10 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-01-16
Title
CtyGrid Hyp3rL0cal Search WordPress Plugin <= 0.1.1.1 - Reflected Cross-Site Scripting