CVE-2025-13206
BaseFortify
Publication date: 2025-11-19
Last updated on: 2025-11-26
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| givewp | givewp | to 4.13.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the GiveWP β Donation Plugin and Fundraising Platform for WordPress is a Stored Cross-Site Scripting (XSS) issue. It occurs via the 'name' parameter in all versions up to and including 4.13.0 due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts into pages, which execute whenever a user accesses the injected page. Exploitation requires that avatars are enabled in the WordPress installation.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts in the context of your website users. This can lead to theft of user credentials, session hijacking, defacement of the website, or distribution of malware. Since the vulnerability is unauthenticated and stored, it can affect any user visiting the affected pages, potentially compromising user data and trust.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the GiveWP plugin version is 4.13.0 or earlier and if avatars are enabled in the WordPress installation. Since the vulnerability is a Stored Cross-Site Scripting (XSS) via the 'name' parameter, monitoring HTTP requests that include suspicious or script-injected payloads in the 'name' parameter of donation forms can help detect exploitation attempts. Commands to detect this could include using web server logs or network traffic inspection tools to search for suspicious input patterns. For example, using grep on web server logs to find suspicious script tags in POST requests to donation processing endpoints. Example command: `grep -i '<script' /path/to/access.log | grep 'name='` or using intrusion detection systems with rules to detect XSS payloads in HTTP parameters. Additionally, checking the installed plugin version via WP-CLI can help confirm vulnerability presence: `wp plugin get give --field=version`. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the GiveWP plugin to version 4.13.1 or later, as this update addresses CVE-2025-13206 with extensive code changes improving security and input handling. If updating immediately is not possible, disabling avatars in the WordPress installation can prevent exploitation since avatars must be enabled for the vulnerability to be exploited. Additionally, applying Web Application Firewall (WAF) rules to block or sanitize inputs containing script tags in the 'name' parameter of donation forms can reduce risk. Monitoring and restricting unauthenticated POST requests to donation endpoints may also help mitigate exploitation attempts. [5]