CVE-2025-13206
GiveWP - Donation Plugin and Fundraising Platform <= 4.13.0 - Unauthenticated Stored Cross-Site Scripting via 'name'The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 4.13.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Avatars must be enabled in the WordPress install in order to exploit the vulnerability.
We have discovered 14,482 live websites that are affected by CVE-2025-13206.
Affected Software
| Product |  GiveWP |
| Category | Wordpress Plugins |
| Vulnerable Domains | 14,482 live websites (45% of GiveWP install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 238 versions ( 98% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Nov 19, 2025
- Updated - Nov 19, 2025
Credits
- Angus Girvan (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-13206 United States | 6,677 websites |
 Germany | 1,037 websites |
 GB | 895 websites |
 Italy | 747 websites |
 France | 650 websites |
 Canada | 380 websites |
 India | 368 websites |
 Australia | 274 websites |
 Spain | 272 websites |
 Cyprus | 243 websites |
Website Distribution by TLD
Number of websites using CVE-2025-13206| .org | 6,009 websites |
| .com | 3,539 websites |
| .it | 496 websites |
| .de | 365 websites |
| .net | 250 websites |
| .org.uk | 246 websites |
| .ca | 206 websites |
| .fr | 198 websites |
| .co.uk | 177 websites |
| .nl | 127 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-13206
Top websites that are affected by CVE-2025-13206. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ****.info | United States | **,*** | |
| ***********.org | United States | **,*** | |
| ****.org | United States | **,*** | |
| *********.org | GB | **,*** | |
| ********.org | United States | **,*** | |
| ************.org | United States | **,*** | |
| **************.com | Australia | **,*** | |
| ******.info | Italy | **,*** | |
| ****************.com | United States | ***,*** | |
| **************.***.uk | GB | ***,*** |
FAQ
CVE-2025-13206 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GiveWP
A total of 14,482 websites have been identified as vulnerable to CVE-2025-13206, based on global website indexing conducted by WebTechSurvey.
The GiveWP is affected by the CVE-2025-13206 vulnerability.
GiveWP versions up to and including 4.13 are vulnerable to CVE-2025-13206.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/95823720-e1dc-46c1-887b-ffd877b2fbe5?source=cve
- https://plugins.trac.wordpress.org/browser/give/tags/4.11.0/templates/shortcode-donor-wall.php#L59
- https://plugins.trac.wordpress.org/browser/give/tags/4.11.0/includes/process-donation.php#L1230
- https://plugins.trac.wordpress.org/browser/give/tags/4.11.0/includes/class-give-donor.php#L1135
- https://plugins.trac.wordpress.org/changeset/3398128/