Stored Cross-Site Scripting Vulnerability in Charitable Donation Plugin for WordPress
CVE-2025-5275

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: Charitable – Donation Plugin For WordPress – Fundraising With Recurring Donations & More
Vendor: CVE Published:; 26 June 2025

What is CVE-2025-5275?

The Charitable – Donation Plugin for WordPress is susceptible to a Stored Cross-Site Scripting attack through its privacy settings fields. This vulnerability, found in all versions up to and including 1.8.6.1, arises from inadequate input sanitization and output escaping. Authenticated attackers with administrator-level access can exploit this flaw to inject arbitrary web scripts into pages, which will execute whenever a user accesses the compromised page. This issue predominantly affects multi-site installations and those where unfiltered_html has been disabled. A partial fix was implemented in version 1.8.6.1, with a complete resolution provided in version 1.8.6.2.

Affected Version(s)

Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More * <= 1.8.6.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/charitable/tag...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2025
Vulnerability Reserved
May 27, 2025

Credit

Jonas Benjamin Friedli