CVE-2025-13206 is a stored cross-site scripting vulnerability identified in the GiveWP Donation Plugin and Fundraising Platform for WordPress, affecting all versions up to and including 4.13.0. The vulnerability stems from insufficient input sanitization and output escaping of the ‘name’ parameter, which is used during web page generation. This flaw allows unauthenticated attackers to inject arbitrary JavaScript code that is stored persistently and executed in the browsers of users who visit the compromised pages. A prerequisite for exploitation is that the WordPress installation has avatars enabled, as the vulnerability leverages this feature to trigger script execution. The CVSS v3.1 base score is 7.2, reflecting a high severity due to the network attack vector, low attack complexity, no privileges or user interaction required, and a scope change indicating that the vulnerability affects components beyond the initially vulnerable plugin. The impact primarily affects confidentiality and integrity, enabling attackers to steal sensitive user information, hijack sessions, or perform unauthorized actions on behalf of users. Although no known exploits have been reported in the wild yet, the widespread use of GiveWP in donation and fundraising contexts makes this vulnerability a significant risk. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially those handling user-generated content. The lack of an official patch at the time of publication necessitates immediate mitigation steps by administrators to reduce exposure.

For European organizations, especially nonprofits and charities relying on GiveWP for fundraising, this vulnerability poses a serious risk to the confidentiality and integrity of user data. Attackers could exploit the flaw to steal donor information, including personal details and potentially payment-related data if combined with other vulnerabilities. The ability to execute scripts in users’ browsers can also lead to session hijacking, unauthorized actions on user accounts, and reputational damage. Given the plugin’s role in managing donations, exploitation could disrupt fundraising activities, erode donor trust, and cause financial losses. The vulnerability’s ease of exploitation without authentication or user interaction increases the likelihood of attacks. Organizations operating in countries with high WordPress usage and active charitable sectors may face targeted attacks aiming to compromise donor databases or manipulate fundraising campaigns. Additionally, the scope change in the CVSS vector suggests that the impact could extend beyond the plugin itself, potentially affecting other integrated components or user data handled by the WordPress site.

1. Immediately disable avatars in WordPress installations using GiveWP if avatars are not essential, as this reduces the attack surface for exploitation. 2. Apply strict input validation and output escaping on all user-supplied data, particularly the ‘name’ parameter, to prevent injection of malicious scripts. 3. Monitor web server and application logs for unusual requests targeting the ‘name’ parameter or suspicious payloads indicative of XSS attempts. 4. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected pages. 5. Restrict access to donation and fundraising pages where possible, using web application firewalls (WAFs) to detect and block malicious input patterns. 6. Stay updated with vendor advisories and apply patches promptly once released. 7. Conduct security audits and penetration testing focused on input handling in the GiveWP plugin and related components. 8. Educate site administrators and users about the risks of XSS and encourage cautious behavior regarding links and inputs on donation platforms.