CVE-2025-66533

Vulnerability

Overview

CVE-2025-66533 is a code injection vulnerability in the StellarWP GiveWP plugin for WordPress, affecting versions from n/a through 4.13.1. The issue stems from improper control of code generation, allowing an attacker to inject arbitrary shortcodes into the application. This is classified as a Content Injection vulnerability, which can be exploited without authentication.

Exploitation

Exploitation

Attackers can exploit this vulnerability by sending crafted requests that inject malicious shortcodes into the WordPress site. No authentication is required, making it accessible to any remote attacker. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites simultaneously, regardless of their size or traffic [1].

Impact

Successful exploitation allows an attacker to inject arbitrary content into pages and posts of the affected website. This could be abused to display phishing pages, redirect users to malicious sites, or deface the website. The CVSS v3 score is 5.3 (Medium) reflects the potential for significant impact on confidentiality and integrity, though availability is not directly accessing sensitive data is not the primary vector

Mitigation

The vendor has released version 4.13.2 which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a mitigation rule that blocks attacks until the patch is applied. Enabling auto-updates for vulnerable plugins is recommended for vulnerable plugins [1]