Improper neutralization of user input in the Charity‑thermometer plugin results in stored Cross‑Site Scripting (XSS). When an attacker supplies malicious scripts through any input field that the plugin saves and later displays, any visitor to the affected page can execute the injected code in the context of that website. The impact is primarily client‑side exploitation, allowing cookie theft, session hijacking, defacement, or the delivery of additional malware. This weakness corresponds to CWE‑79.

The vulnerability affects all installations of the crea8xion Charity‑thermometer plugin with version numbers up to and including 1.1.2. No specific sub‑versions are listed, so any build of the plugin released prior to 1.1.3 is considered affected.

The CVSS score of 6.5 indicates a medium severity, and the very low EPSS score (< 1 %) suggests that the exploitation probability is currently low. The vulnerability is not present in the CISA KEV catalog. Based on the description, the likely attack vector is a user interacting with the plugin’s input interface—such as submitting a donation or pledging information—that is then persisted and rendered on pages viewed by other users. An adversary can inject script payloads that will be executed in the browsers of any user who loads the compromised page. Because the issue is a stored XSS, an authentic user with the ability to contribute content is sufficient to trigger the vulnerability; no administrative privileges are required.