GiveWP – Donation Plugin and Fundraising Platform <= 4.5.0 - Authenticated (GiveWP worker+) Stored Cross-Site Scripting

July 31, 2025 invoker category_cve

CVE Details

Basic Information

Title GiveWP – Donation Plugin and Fundraising Platform <= 4.5.0 - Authenticated (GiveWP worker+) Stored Cross-Site Scripting
Type cve
Published 2025-07-31T07:25:00.594Z
Modified 2025-07-31T07:25:00.594Z

Product Information

Vendor givewp
Product GiveWP – Donation Plugin and Fundraising Platform
Version *

CVSS Information

Base Score 5.4 (MEDIUM)
Attack Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Affected Products

  • givewp GiveWP – Donation Plugin and Fundraising Platform *

Additional Information

CWE List CWE-79
Source Wordfence

Description

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the donor notes parameter in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with GiveWP worker-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Additionally, they need to trick an administrator into visiting the legacy version of the site.

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.