Description
The donation WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users, such as admin to perform SQL injection attacks
Published: 2025-12-02
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection enabling privileged users to modify database contents
Action: Apply Patch
AI Analysis

Impact

The Donations WordPress plugin through version 1.0 fails to sanitize a user supplied parameter before embedding it in a SQL query. This flaw allows a logged‑in administrator or other high‑privilege user to inject arbitrary SQL that can read, modify, or delete database records, potentially compromising the integrity and confidentiality of the site.

Affected Systems

Any WordPress installation that has the Donations plugin (Unknown vendor) installed with a version of 1.0 or older is affected. The plugin is deployed on the WordPress core without vendor identification.

Risk and Exploitability

The CVSS score of 4.1 indicates a moderate severity, while the EPSS score of less than 1% shows that exploitation is currently unlikely. The vulnerability is not listed in CISA’s KEV catalog, further suggesting lower immediate risk for large‑scale attacks. In practice, exploitation would require an attacker to compromise an administrator account or otherwise gain administrative privileges to send the malicious input.

Generated by OpenCVE AI on April 27, 2026 at 22:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Donations plugin to a version that implements proper input sanitization.
  • If no newer version exists, deactivate or remove the plugin entirely to eliminate the attack surface.
  • Implement a web application firewall rule set that blocks known SQL injection patterns targeting WordPress plugins.

Generated by OpenCVE AI on April 27, 2026 at 22:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Kieranoshea
Kieranoshea donations
Weaknesses CWE-89
CPEs cpe:2.3:a:kieranoshea:donations:*:*:*:*:*:wordpress:*:*
Vendors & Products Kieranoshea
Kieranoshea donations

Thu, 04 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 02 Dec 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Dec 2025 06:15:00 +0000

Type Values Removed Values Added
Description The donation WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users, such as admin to perform SQL injection attacks
Title Donation <= 1.0 - Admin+ SQLi
References

Subscriptions

Kieranoshea Donations
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-02T12:39:53.542Z

Reserved: 2025-11-11T12:44:18.243Z

Link: CVE-2025-13001

cve-icon Vulnrichment

Updated: 2025-12-02T13:32:53.453Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-02T06:15:45.543

Modified: 2026-01-30T20:42:15.960

Link: CVE-2025-13001

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T22:45:15Z

Weaknesses