Description
The Double the Donation – A workplace giving tool to help your fundraising efforts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2025-11-11
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting for authenticated administrators
Action: Apply patch
AI Analysis

Impact

The Double the Donation – A workplace giving tool plugin for WordPress contains an insecure admin settings page that stores user input without proper sanitization or output escaping. When a user with administrator‑level permissions or higher modifies these settings, arbitrary JavaScript can be written to the database and rendered on any page that loads the injected content. The injected script runs in the context of visitors, potentially allowing session hijacking, data theft, or defacement. The vulnerability is an example of CWE‑79, classic stored cross‑site scripting.

Affected Systems

All releases of Double the Donation up to and including version 3.0.0 are affected when the plugin is installed on a multisite WordPress network and the site configuration has unfiltered_html disabled. The issue persists across WordPress versions and any network that grants administrators the capability to edit the plugin settings through the dashboard.

Risk and Exploitability

The CVSS score of 4.9 places the flaw in the moderate severity range, while the EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, further suggesting limited active exploitation. The attack path requires the attacker to be a logged‑in administrator or higher, which narrows the threat surface to privileged accounts. Nonetheless, because the payload executes in users’ browsers, any compromise of an administrator account could impact the entire multisite network.

Generated by OpenCVE AI on April 22, 2026 at 12:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Double the Donation plugin to version 3.1 or later, which contains the input sanitization and output escaping fix.
  • If an update is not available, remove or disable the plugin on all sites where it is not essential, and restrict configuration changes to a single super‑administrator account to minimize the opportunity for malicious input.
  • Implement a site‑wide Content Security Policy that blocks inline script execution and whitelists only trusted sources, reducing the impact of any residual injected content.

Generated by OpenCVE AI on April 22, 2026 at 12:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Double the Donation – A workplace giving tool to help your fundraising efforts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. The Double the Donation – A workplace giving tool to help your fundraising efforts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Double the Donation <= 2.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting Double the Donation <= 3.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting
References

Wed, 12 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 11 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Double the Donation – A workplace giving tool to help your fundraising efforts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Double the Donation <= 2.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:57:24.802Z

Reserved: 2025-10-21T14:29:21.488Z

Link: CVE-2025-12020

cve-icon Vulnrichment

Updated: 2025-11-12T15:42:03.603Z

cve-icon NVD

Status : Deferred

Published: 2025-11-11T04:15:45.970

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12020

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:30:16Z

Weaknesses