cleantalk
Vulnerabilities and Security Researches

GiveWP – Donation Plugin and Fundraising Platform, CVE-2025-13206

CVE, Research URL

CVE-2025-13206

Home page URL

Security reports for GiveWP – Donation Plugin and Fundraising Platform

Application

GiveWP – Donation Plugin and Fundraising Platform

Published on
Nov 19, 2025
Research Description
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 4.13.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Avatars must be enabled in the WordPress install in order to exploit the vulnerability.
Affected versions
max 4.13.1.
Status
vulnerable
Previous vulnerability researches
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2025-24573) , Jan 26, 2025
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2025-1926) , Mar 10, 2025
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2024-13427) , May 25, 2025
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2025-4223) , May 25, 2025
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2025-2104) , Mar 14, 2025
New vulnerability
Export All Posts, Products, Orders, Refunds & Users (CVE-2025-13606) , Dec 10, 2025
Kadence WooCommerce Email Designer (CVE-2025-13387) , Dec 10, 2025
GiveWP – Donation Plugin and Fundraising Platform (CVE-2025-13206) , Dec 10, 2025
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates (CVE-2025-11270) , Dec 10, 2025
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates (CVE-2025-11361) , Dec 10, 2025