CVE-2025-66533 is a vulnerability classified as 'Improper Control of Generation of Code' or code injection within the StellarWP GiveWP plugin, a popular WordPress plugin used for managing donations. The affected versions include all releases up to and including 4.13.1. This vulnerability allows an attacker with low privileges (PR:L) and no user interaction (UI:N) to inject and execute arbitrary code within the context of the WordPress environment. The CVSS v3.1 base score of 7.8 reflects high severity, with impacts on confidentiality, integrity, and availability (all rated high). The attack vector is local (AV:L), meaning the attacker needs some level of access to the system, such as a compromised user account with limited privileges. The vulnerability does not require user interaction, increasing the risk of automated exploitation once an attacker gains initial access. Although no known exploits are currently reported in the wild, the nature of code injection vulnerabilities typically allows attackers to execute malicious payloads, potentially leading to full system compromise, data theft, defacement, or denial of service. The vulnerability was reserved and published in early December 2025, with no patch links currently available, indicating that remediation may still be pending. The plugin’s role in handling donation transactions means that exploitation could expose sensitive donor information and disrupt fundraising operations.

For European organizations, especially nonprofits and charities relying on GiveWP for donation processing, this vulnerability poses a significant risk. Exploitation could lead to unauthorized code execution, allowing attackers to access or modify sensitive donor data, manipulate donation records, or disrupt website availability. This could result in financial loss, reputational damage, and regulatory penalties under GDPR due to data breaches. The local attack vector suggests that attackers who have gained limited access to the WordPress environment—via phishing, credential reuse, or other means—could escalate privileges or move laterally. The high impact on confidentiality, integrity, and availability means that critical donation infrastructure could be compromised, affecting fundraising capabilities and trust. Additionally, given the widespread use of WordPress and the plugin’s popularity, the threat surface is broad across European nonprofit sectors.

Organizations should immediately inventory their WordPress installations to identify the use of GiveWP and verify the plugin version. Until a patch is released, restrict access to the WordPress admin area and plugin management to trusted users only, employing strong authentication methods such as multi-factor authentication. Limit user privileges to the minimum necessary to reduce the risk of exploitation by low-privilege accounts. Monitor logs for unusual activity indicative of code injection attempts or privilege escalation. Employ web application firewalls (WAFs) with rules targeting known WordPress plugin vulnerabilities to block suspicious requests. Regularly back up WordPress sites and databases to enable rapid recovery if exploitation occurs. Once patches become available, prioritize their deployment in all affected environments. Additionally, conduct security awareness training to reduce the risk of initial access through compromised credentials.