Description
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the donor notes parameter in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with GiveWP worker-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Additionally, they need to trick an administrator into visiting the legacy version of the site.
Published: 2025-07-31
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Update
AI Analysis

Impact

The GiveWP Donation Plugin for WordPress allows an authenticated user with worker‑level or higher permissions to embed unsanitized JavaScript into donor notes. When a page that renders the note is subsequently visited, the script executes in the victim’s browser, potentially enabling client‑side attacks. The vulnerability arises from insufficient input sanitization and output escaping, as documented in the plugin code. Since the code improvement is not explicitly mentioned, the effect is limited to script execution rather than other exploit outcomes.

Affected Systems

WordPress sites utilizing GiveWP version 4.5.0 or earlier are affected. Any installation that includes the plugin and grants a user GiveWP worker or higher role can exploit the flaw, provided legacy functionality is enabled. Sites that have removed the plugin or disabled legacy mode are not impacted.

Risk and Exploitability

The CVSS score of 5.4 classifies the flaw as medium severity, while the EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in CISA KEV. Exploitation requires the attacker to first authenticate to the WordPress admin area, inject a malicious note, and subsequently persuade an administrator to visit a page that renders the legacy interface. If achieved, the injected script runs in the victim’s browser, providing the attacker with client‑side control.

Generated by OpenCVE AI on April 21, 2026 at 19:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the vendor’s release notes for a patch that addresses input sanitization in donor notes and apply it as soon as it becomes available.
  • If a patch is not yet released, consider disabling the plugin’s legacy mode or removing the legacy endpoint entirely to prevent rendering of injected notes.
  • Restrict GiveWP worker‑level access to only the minimum set of users who require it, revoking permissions that are unnecessary.

Generated by OpenCVE AI on April 21, 2026 at 19:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23243 The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the donor notes parameter in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with GiveWP worker-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Additionally, they need to trick an administrator into visiting the legacy version of the site.
History

Wed, 13 Aug 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Givewp
Givewp givewp
CPEs cpe:2.3:a:givewp:givewp:*:*:*:*:*:wordpress:*:*
Vendors & Products Givewp
Givewp givewp

Thu, 31 Jul 2025 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Givew
Givew donation Plugin And Fundraising Platform
Wordpress
Wordpress wordpress
Vendors & Products Givew
Givew donation Plugin And Fundraising Platform
Wordpress
Wordpress wordpress

Thu, 31 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 31 Jul 2025 07:45:00 +0000

Type Values Removed Values Added
Description The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the donor notes parameter in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with GiveWP worker-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Additionally, they need to trick an administrator into visiting the legacy version of the site.
Title GiveWP – Donation Plugin and Fundraising Platform <= 4.5.0 - Authenticated (GiveWP worker+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Givew Donation Plugin And Fundraising Platform
Givewp Givewp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:46:50.644Z

Reserved: 2025-07-07T12:05:07.346Z

Link: CVE-2025-7205

cve-icon Vulnrichment

Updated: 2025-07-31T14:34:44.576Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-31T08:15:25.687

Modified: 2025-08-13T19:30:16.170

Link: CVE-2025-7205

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:45:16Z

Weaknesses