CVE-2025-66533

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in StellarWP GiveWP give allows Code Injection.This issue affects GiveWP: from n/a through <= 4.13.1.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

GiveWP <= 4.13.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<?php
/**
 * CVE-2025-66533 PoC - GiveWP Arbitrary Shortcode Execution
 * This PoC demonstrates the shortcode injection vulnerability in GiveWP <= 4.13.1
 * 
 * Usage: Access a WordPress page with GiveWP plugin installed and inject the malicious shortcode
 * 
 * Example attack vector:
 * POST /wp-comments-post.php HTTP/1.1
 * Host: target.com
 * 
 * comment_post_ID=123&comment=[give_form id="1"][system('id')][/give_form]
 * 
 * Or via page content injection:
 * [give_form id="1"][恶意代码][/give_form]
 */

// Example of vulnerable shortcode usage
$vulnerable_shortcode = '[give_form id="1"][system("id")][/give_form]';

// Safe shortcode example (what should be implemented)
function safe_give_shortcode($atts) {
    $atts = shortcode_atts(array(
        'id' => '',
    ), $atts, 'give_form');
    
    // Input validation - ensure ID is numeric
    if (!is_numeric($atts['id'])) {
        return '<!-- Invalid form ID -->';
    }
    
    // Sanitize and validate
    $form_id = intval($atts['id']);
    
    // Check user capabilities
    if (!current_user_can('edit_posts')) {
        return '<!-- Unauthorized -->';
    }
    
    // Restrict shortcode content execution
    return '<div class="give-form" data-form-id="' . esc_attr($form_id) . '"></div>';
}

// Mitigation: Disable nested shortcodes
add_filter('shortcode_atts_give_form', function($out, $pairs, $atts) {
    // Remove any nested shortcode content
    unset($out[0]);
    return $out;
}, 10, 3);
?>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66533
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66533
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66533/
[4] VulDB https://vuldb.com/cve/CVE-2025-66533
[5] https://patchstack.com/database/Wordpress/Plugin/give/vulnerability/wordpress-givewp-plugin-4-13-1-arbitrary-shortocde-execution-vulnerability?_s_id=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66533", "sourceIdentifier": "[email protected]", "published": "2025-12-09T16:18:20.760", "lastModified": "2026-04-27T18:16:38.867", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in StellarWP GiveWP give allows Code Injection.This issue affects GiveWP: from n/a through <= 4.13.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/give/vulnerability/wordpress-givewp-plugin-4-13-1-arbitrary-shortocde-execution-vulnerability?_s_id=cve", "source": "[email protected]"}]}}