Search

Find a vulnerability

Search criteria

    12 vulnerabilities found for GiveWP – Donation Plugin and Fundraising Platform by Unknown

    CVE-2022-2260 (GCVE-0-2022-2260)

    Vulnerability from nvd – Published: 2022-08-01 12:50 – Updated: 2024-08-03 00:32
    VLAI
    Title
    GiveWP < 2.21.3 - DoS via CSRF
    Summary
    The GiveWP WordPress plugin before 2.21.3 does not have CSRF in place when exporting data, and does not validate the exporting parameters such as dates, which could allow attackers to make a logged in admin DoS the web server via a CSRF attack as the plugin will try to retrieve data from the database many times which leads to overwhelm the target's CPU.
    Severity
    No CVSS data available.
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Credits
    Raad Haddad
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:32:09.543Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/831b3afa-8fa3-4cb7-8374-36d0c368292f"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.21.3",
                  "status": "affected",
                  "version": "2.21.3",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Raad Haddad"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP WordPress plugin before 2.21.3 does not have CSRF in place when exporting data, and does not validate the exporting parameters such as dates, which could allow attackers to make a logged in admin DoS the web server via a CSRF attack as the plugin will try to retrieve data from the database many times which leads to overwhelm the target\u0027s CPU."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-01T12:50:58.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/831b3afa-8fa3-4cb7-8374-36d0c368292f"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "GiveWP \u003c 2.21.3 - DoS via CSRF",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-2260",
              "STATE": "PUBLIC",
              "TITLE": "GiveWP \u003c 2.21.3 - DoS via CSRF"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.21.3",
                                "version_value": "2.21.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Raad Haddad"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The GiveWP WordPress plugin before 2.21.3 does not have CSRF in place when exporting data, and does not validate the exporting parameters such as dates, which could allow attackers to make a logged in admin DoS the web server via a CSRF attack as the plugin will try to retrieve data from the database many times which leads to overwhelm the target\u0027s CPU."
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-352 Cross-Site Request Forgery (CSRF)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/831b3afa-8fa3-4cb7-8374-36d0c368292f",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/831b3afa-8fa3-4cb7-8374-36d0c368292f"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-2260",
        "datePublished": "2022-08-01T12:50:58.000Z",
        "dateReserved": "2022-06-30T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:32:09.543Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-2215 (GCVE-0-2022-2215)

    Vulnerability from nvd – Published: 2022-08-01 12:50 – Updated: 2024-08-03 00:32
    VLAI
    Title
    GiveWP < 2.21.3 - Admin+ Stored Cross-Site Scripting
    Summary
    The GiveWP WordPress plugin before 2.21.3 does not properly sanitise and escape the currency settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Credits
    Raad Haddad
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:32:09.421Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/daa9b6c1-1ee1-434c-9f88-fd273b7e20bb"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.21.3",
                  "status": "affected",
                  "version": "2.21.3",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Raad Haddad"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP WordPress plugin before 2.21.3 does not properly sanitise and escape the currency settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-01T12:50:18.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/daa9b6c1-1ee1-434c-9f88-fd273b7e20bb"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "GiveWP \u003c 2.21.3 - Admin+ Stored Cross-Site Scripting",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-2215",
              "STATE": "PUBLIC",
              "TITLE": "GiveWP \u003c 2.21.3 - Admin+ Stored Cross-Site Scripting"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.21.3",
                                "version_value": "2.21.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Raad Haddad"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The GiveWP WordPress plugin before 2.21.3 does not properly sanitise and escape the currency settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/daa9b6c1-1ee1-434c-9f88-fd273b7e20bb",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/daa9b6c1-1ee1-434c-9f88-fd273b7e20bb"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-2215",
        "datePublished": "2022-08-01T12:50:18.000Z",
        "dateReserved": "2022-06-27T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:32:09.421Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-0252 (GCVE-0-2022-0252)

    Vulnerability from nvd – Published: 2022-02-21 10:46 – Updated: 2024-08-02 23:25
    VLAI
    Title
    Give < 2.17.3 - Reflected Cross-Site Scripting via Import Tool
    Summary
    The GiveWP WordPress plugin before 2.17.3 does not escape the json parameter before outputting it back in an attribute in the Import admin dashboard, leading to a Reflected Cross-Site Scripting
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Credits
    JrXnm
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T23:25:38.791Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/2659032"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/b0e551af-087b-43e7-bdb7-11d7f639028a"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.17.3",
                  "status": "affected",
                  "version": "2.17.3",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "JrXnm"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP WordPress plugin before 2.17.3 does not escape the json parameter before outputting it back in an attribute in the Import admin dashboard, leading to a Reflected Cross-Site Scripting"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-21T10:46:09.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://plugins.trac.wordpress.org/changeset/2659032"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/b0e551af-087b-43e7-bdb7-11d7f639028a"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Give \u003c 2.17.3 - Reflected Cross-Site Scripting via Import Tool",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-0252",
              "STATE": "PUBLIC",
              "TITLE": "Give \u003c 2.17.3 - Reflected Cross-Site Scripting via Import Tool"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.17.3",
                                "version_value": "2.17.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "JrXnm"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The GiveWP WordPress plugin before 2.17.3 does not escape the json parameter before outputting it back in an attribute in the Import admin dashboard, leading to a Reflected Cross-Site Scripting"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://plugins.trac.wordpress.org/changeset/2659032",
                  "refsource": "CONFIRM",
                  "url": "https://plugins.trac.wordpress.org/changeset/2659032"
                },
                {
                  "name": "https://wpscan.com/vulnerability/b0e551af-087b-43e7-bdb7-11d7f639028a",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/b0e551af-087b-43e7-bdb7-11d7f639028a"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-0252",
        "datePublished": "2022-02-21T10:46:09.000Z",
        "dateReserved": "2022-01-17T00:00:00.000Z",
        "dateUpdated": "2024-08-02T23:25:38.791Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-25100 (GCVE-0-2021-25100)

    Vulnerability from nvd – Published: 2022-02-21 10:45 – Updated: 2024-08-03 19:56
    VLAI
    Title
    Give < 2.17.3 - Reflected Cross-Site Scripting via Donation Forms Dashboard
    Summary
    The GiveWP WordPress plugin before 2.17.3 does not escape the s parameter before outputting it back in an attribute in the Donation Forms dashboard, leading to a Reflected Cross-Site Scripting
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Credits
    JrXnm
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:56:09.986Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/2659032"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/fe2c02bf-207c-43da-98bd-4c85d235de8b"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.17.3",
                  "status": "affected",
                  "version": "2.17.3",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "JrXnm"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP WordPress plugin before 2.17.3 does not escape the s parameter before outputting it back in an attribute in the Donation Forms dashboard, leading to a Reflected Cross-Site Scripting"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-21T10:45:54.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://plugins.trac.wordpress.org/changeset/2659032"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/fe2c02bf-207c-43da-98bd-4c85d235de8b"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Give \u003c 2.17.3 - Reflected Cross-Site Scripting via Donation Forms Dashboard",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-25100",
              "STATE": "PUBLIC",
              "TITLE": "Give \u003c 2.17.3 - Reflected Cross-Site Scripting via Donation Forms Dashboard"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.17.3",
                                "version_value": "2.17.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "JrXnm"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The GiveWP WordPress plugin before 2.17.3 does not escape the s parameter before outputting it back in an attribute in the Donation Forms dashboard, leading to a Reflected Cross-Site Scripting"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://plugins.trac.wordpress.org/changeset/2659032",
                  "refsource": "CONFIRM",
                  "url": "https://plugins.trac.wordpress.org/changeset/2659032"
                },
                {
                  "name": "https://wpscan.com/vulnerability/fe2c02bf-207c-43da-98bd-4c85d235de8b",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/fe2c02bf-207c-43da-98bd-4c85d235de8b"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-25100",
        "datePublished": "2022-02-21T10:45:54.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:56:09.986Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-25099 (GCVE-0-2021-25099)

    Vulnerability from nvd – Published: 2022-02-21 10:45 – Updated: 2024-08-03 19:56
    VLAI
    Title
    Give < 2.17.3 - Unauthenticated Reflected Cross-Site Scripting
    Summary
    The GiveWP WordPress plugin before 2.17.3 does not sanitise and escape the form_id parameter before outputting it back in the response of an unauthenticated request via the give_checkout_login AJAX action, leading to a Reflected Cross-Site Scripting
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Credits
    JrXnm
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:56:10.761Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/87a64b27-23a3-40f5-a3d8-0650975fee6f"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/2659032"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.17.3",
                  "status": "affected",
                  "version": "2.17.3",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "JrXnm"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP WordPress plugin before 2.17.3 does not sanitise and escape the form_id parameter before outputting it back in the response of an unauthenticated request via the give_checkout_login AJAX action, leading to a Reflected Cross-Site Scripting"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-21T10:45:53.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/87a64b27-23a3-40f5-a3d8-0650975fee6f"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://plugins.trac.wordpress.org/changeset/2659032"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Give \u003c 2.17.3 - Unauthenticated Reflected Cross-Site Scripting",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-25099",
              "STATE": "PUBLIC",
              "TITLE": "Give \u003c 2.17.3 - Unauthenticated Reflected Cross-Site Scripting"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.17.3",
                                "version_value": "2.17.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "JrXnm"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The GiveWP WordPress plugin before 2.17.3 does not sanitise and escape the form_id parameter before outputting it back in the response of an unauthenticated request via the give_checkout_login AJAX action, leading to a Reflected Cross-Site Scripting"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/87a64b27-23a3-40f5-a3d8-0650975fee6f",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/87a64b27-23a3-40f5-a3d8-0650975fee6f"
                },
                {
                  "name": "https://plugins.trac.wordpress.org/changeset/2659032",
                  "refsource": "CONFIRM",
                  "url": "https://plugins.trac.wordpress.org/changeset/2659032"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-25099",
        "datePublished": "2022-02-21T10:45:53.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:56:10.761Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-24524 (GCVE-0-2021-24524)

    Vulnerability from nvd – Published: 2021-08-23 11:09 – Updated: 2024-08-03 19:35
    VLAI
    Title
    GiveWP < 2.12.0 - Authenticated Stored XSS
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.12.0 did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Scripting payloads in them.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Credits
    Asif Nawaz Minhas
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:35:20.023Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/5a4774ec-c0ee-4c6b-92a6-fa10821ec336"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.12.0",
                  "status": "affected",
                  "version": "2.12.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Asif Nawaz Minhas"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform WordPress plugin before 2.12.0 did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Scripting payloads in them."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-08-23T11:09:59.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/5a4774ec-c0ee-4c6b-92a6-fa10821ec336"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "GiveWP \u003c 2.12.0 - Authenticated Stored XSS",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-24524",
              "STATE": "PUBLIC",
              "TITLE": "GiveWP \u003c 2.12.0 - Authenticated Stored XSS"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.12.0",
                                "version_value": "2.12.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Asif Nawaz Minhas"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform WordPress plugin before 2.12.0 did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Scripting payloads in them."
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/5a4774ec-c0ee-4c6b-92a6-fa10821ec336",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/5a4774ec-c0ee-4c6b-92a6-fa10821ec336"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-24524",
        "datePublished": "2021-08-23T11:09:59.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:35:20.023Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-2260 (GCVE-0-2022-2260)

    Vulnerability from cvelistv5 – Published: 2022-08-01 12:50 – Updated: 2024-08-03 00:32
    VLAI
    Title
    GiveWP < 2.21.3 - DoS via CSRF
    Summary
    The GiveWP WordPress plugin before 2.21.3 does not have CSRF in place when exporting data, and does not validate the exporting parameters such as dates, which could allow attackers to make a logged in admin DoS the web server via a CSRF attack as the plugin will try to retrieve data from the database many times which leads to overwhelm the target's CPU.
    Severity
    No CVSS data available.
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Credits
    Raad Haddad
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:32:09.543Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/831b3afa-8fa3-4cb7-8374-36d0c368292f"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.21.3",
                  "status": "affected",
                  "version": "2.21.3",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Raad Haddad"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP WordPress plugin before 2.21.3 does not have CSRF in place when exporting data, and does not validate the exporting parameters such as dates, which could allow attackers to make a logged in admin DoS the web server via a CSRF attack as the plugin will try to retrieve data from the database many times which leads to overwhelm the target\u0027s CPU."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-01T12:50:58.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/831b3afa-8fa3-4cb7-8374-36d0c368292f"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "GiveWP \u003c 2.21.3 - DoS via CSRF",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-2260",
              "STATE": "PUBLIC",
              "TITLE": "GiveWP \u003c 2.21.3 - DoS via CSRF"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.21.3",
                                "version_value": "2.21.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Raad Haddad"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The GiveWP WordPress plugin before 2.21.3 does not have CSRF in place when exporting data, and does not validate the exporting parameters such as dates, which could allow attackers to make a logged in admin DoS the web server via a CSRF attack as the plugin will try to retrieve data from the database many times which leads to overwhelm the target\u0027s CPU."
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-352 Cross-Site Request Forgery (CSRF)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/831b3afa-8fa3-4cb7-8374-36d0c368292f",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/831b3afa-8fa3-4cb7-8374-36d0c368292f"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-2260",
        "datePublished": "2022-08-01T12:50:58.000Z",
        "dateReserved": "2022-06-30T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:32:09.543Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-2215 (GCVE-0-2022-2215)

    Vulnerability from cvelistv5 – Published: 2022-08-01 12:50 – Updated: 2024-08-03 00:32
    VLAI
    Title
    GiveWP < 2.21.3 - Admin+ Stored Cross-Site Scripting
    Summary
    The GiveWP WordPress plugin before 2.21.3 does not properly sanitise and escape the currency settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Credits
    Raad Haddad
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:32:09.421Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/daa9b6c1-1ee1-434c-9f88-fd273b7e20bb"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.21.3",
                  "status": "affected",
                  "version": "2.21.3",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Raad Haddad"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP WordPress plugin before 2.21.3 does not properly sanitise and escape the currency settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-01T12:50:18.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/daa9b6c1-1ee1-434c-9f88-fd273b7e20bb"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "GiveWP \u003c 2.21.3 - Admin+ Stored Cross-Site Scripting",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-2215",
              "STATE": "PUBLIC",
              "TITLE": "GiveWP \u003c 2.21.3 - Admin+ Stored Cross-Site Scripting"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.21.3",
                                "version_value": "2.21.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Raad Haddad"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The GiveWP WordPress plugin before 2.21.3 does not properly sanitise and escape the currency settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/daa9b6c1-1ee1-434c-9f88-fd273b7e20bb",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/daa9b6c1-1ee1-434c-9f88-fd273b7e20bb"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-2215",
        "datePublished": "2022-08-01T12:50:18.000Z",
        "dateReserved": "2022-06-27T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:32:09.421Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-0252 (GCVE-0-2022-0252)

    Vulnerability from cvelistv5 – Published: 2022-02-21 10:46 – Updated: 2024-08-02 23:25
    VLAI
    Title
    Give < 2.17.3 - Reflected Cross-Site Scripting via Import Tool
    Summary
    The GiveWP WordPress plugin before 2.17.3 does not escape the json parameter before outputting it back in an attribute in the Import admin dashboard, leading to a Reflected Cross-Site Scripting
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Credits
    JrXnm
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T23:25:38.791Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/2659032"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/b0e551af-087b-43e7-bdb7-11d7f639028a"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.17.3",
                  "status": "affected",
                  "version": "2.17.3",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "JrXnm"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP WordPress plugin before 2.17.3 does not escape the json parameter before outputting it back in an attribute in the Import admin dashboard, leading to a Reflected Cross-Site Scripting"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-21T10:46:09.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://plugins.trac.wordpress.org/changeset/2659032"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/b0e551af-087b-43e7-bdb7-11d7f639028a"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Give \u003c 2.17.3 - Reflected Cross-Site Scripting via Import Tool",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-0252",
              "STATE": "PUBLIC",
              "TITLE": "Give \u003c 2.17.3 - Reflected Cross-Site Scripting via Import Tool"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.17.3",
                                "version_value": "2.17.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "JrXnm"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The GiveWP WordPress plugin before 2.17.3 does not escape the json parameter before outputting it back in an attribute in the Import admin dashboard, leading to a Reflected Cross-Site Scripting"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://plugins.trac.wordpress.org/changeset/2659032",
                  "refsource": "CONFIRM",
                  "url": "https://plugins.trac.wordpress.org/changeset/2659032"
                },
                {
                  "name": "https://wpscan.com/vulnerability/b0e551af-087b-43e7-bdb7-11d7f639028a",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/b0e551af-087b-43e7-bdb7-11d7f639028a"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-0252",
        "datePublished": "2022-02-21T10:46:09.000Z",
        "dateReserved": "2022-01-17T00:00:00.000Z",
        "dateUpdated": "2024-08-02T23:25:38.791Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-25100 (GCVE-0-2021-25100)

    Vulnerability from cvelistv5 – Published: 2022-02-21 10:45 – Updated: 2024-08-03 19:56
    VLAI
    Title
    Give < 2.17.3 - Reflected Cross-Site Scripting via Donation Forms Dashboard
    Summary
    The GiveWP WordPress plugin before 2.17.3 does not escape the s parameter before outputting it back in an attribute in the Donation Forms dashboard, leading to a Reflected Cross-Site Scripting
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Credits
    JrXnm
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:56:09.986Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/2659032"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/fe2c02bf-207c-43da-98bd-4c85d235de8b"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.17.3",
                  "status": "affected",
                  "version": "2.17.3",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "JrXnm"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP WordPress plugin before 2.17.3 does not escape the s parameter before outputting it back in an attribute in the Donation Forms dashboard, leading to a Reflected Cross-Site Scripting"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-21T10:45:54.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://plugins.trac.wordpress.org/changeset/2659032"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/fe2c02bf-207c-43da-98bd-4c85d235de8b"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Give \u003c 2.17.3 - Reflected Cross-Site Scripting via Donation Forms Dashboard",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-25100",
              "STATE": "PUBLIC",
              "TITLE": "Give \u003c 2.17.3 - Reflected Cross-Site Scripting via Donation Forms Dashboard"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.17.3",
                                "version_value": "2.17.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "JrXnm"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The GiveWP WordPress plugin before 2.17.3 does not escape the s parameter before outputting it back in an attribute in the Donation Forms dashboard, leading to a Reflected Cross-Site Scripting"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://plugins.trac.wordpress.org/changeset/2659032",
                  "refsource": "CONFIRM",
                  "url": "https://plugins.trac.wordpress.org/changeset/2659032"
                },
                {
                  "name": "https://wpscan.com/vulnerability/fe2c02bf-207c-43da-98bd-4c85d235de8b",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/fe2c02bf-207c-43da-98bd-4c85d235de8b"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-25100",
        "datePublished": "2022-02-21T10:45:54.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:56:09.986Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-25099 (GCVE-0-2021-25099)

    Vulnerability from cvelistv5 – Published: 2022-02-21 10:45 – Updated: 2024-08-03 19:56
    VLAI
    Title
    Give < 2.17.3 - Unauthenticated Reflected Cross-Site Scripting
    Summary
    The GiveWP WordPress plugin before 2.17.3 does not sanitise and escape the form_id parameter before outputting it back in the response of an unauthenticated request via the give_checkout_login AJAX action, leading to a Reflected Cross-Site Scripting
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Credits
    JrXnm
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:56:10.761Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/87a64b27-23a3-40f5-a3d8-0650975fee6f"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/2659032"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.17.3",
                  "status": "affected",
                  "version": "2.17.3",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "JrXnm"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP WordPress plugin before 2.17.3 does not sanitise and escape the form_id parameter before outputting it back in the response of an unauthenticated request via the give_checkout_login AJAX action, leading to a Reflected Cross-Site Scripting"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-21T10:45:53.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/87a64b27-23a3-40f5-a3d8-0650975fee6f"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://plugins.trac.wordpress.org/changeset/2659032"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Give \u003c 2.17.3 - Unauthenticated Reflected Cross-Site Scripting",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-25099",
              "STATE": "PUBLIC",
              "TITLE": "Give \u003c 2.17.3 - Unauthenticated Reflected Cross-Site Scripting"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.17.3",
                                "version_value": "2.17.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "JrXnm"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The GiveWP WordPress plugin before 2.17.3 does not sanitise and escape the form_id parameter before outputting it back in the response of an unauthenticated request via the give_checkout_login AJAX action, leading to a Reflected Cross-Site Scripting"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/87a64b27-23a3-40f5-a3d8-0650975fee6f",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/87a64b27-23a3-40f5-a3d8-0650975fee6f"
                },
                {
                  "name": "https://plugins.trac.wordpress.org/changeset/2659032",
                  "refsource": "CONFIRM",
                  "url": "https://plugins.trac.wordpress.org/changeset/2659032"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-25099",
        "datePublished": "2022-02-21T10:45:53.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:56:10.761Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-24524 (GCVE-0-2021-24524)

    Vulnerability from cvelistv5 – Published: 2021-08-23 11:09 – Updated: 2024-08-03 19:35
    VLAI
    Title
    GiveWP < 2.12.0 - Authenticated Stored XSS
    Summary
    The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.12.0 did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Scripting payloads in them.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Credits
    Asif Nawaz Minhas
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:35:20.023Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/5a4774ec-c0ee-4c6b-92a6-fa10821ec336"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.12.0",
                  "status": "affected",
                  "version": "2.12.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Asif Nawaz Minhas"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform WordPress plugin before 2.12.0 did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Scripting payloads in them."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-08-23T11:09:59.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/5a4774ec-c0ee-4c6b-92a6-fa10821ec336"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "GiveWP \u003c 2.12.0 - Authenticated Stored XSS",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-24524",
              "STATE": "PUBLIC",
              "TITLE": "GiveWP \u003c 2.12.0 - Authenticated Stored XSS"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "GiveWP \u2013 Donation Plugin and Fundraising Platform",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.12.0",
                                "version_value": "2.12.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Asif Nawaz Minhas"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The GiveWP \u2013 Donation Plugin and Fundraising Platform WordPress plugin before 2.12.0 did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Scripting payloads in them."
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/5a4774ec-c0ee-4c6b-92a6-fa10821ec336",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/5a4774ec-c0ee-4c6b-92a6-fa10821ec336"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-24524",
        "datePublished": "2021-08-23T11:09:59.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:35:20.023Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }