Description
The Raisely Donation Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's raisely_donation_form shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-05-21
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross–Site Scripting in Raisely Donation Form
Action: Immediate Patch
AI Analysis

Impact

The Raisely Donation Form plugin for WordPress contains a stored Cross‑Site Scripting vulnerability in all releases up to and including 1.1. Through the raisely_donation_form shortcode, insufficient input sanitization and output escaping allow an attacker who can authenticate with contributor‑level access or higher to embed arbitrary JavaScript. When a user views a page containing the injected shortcode, the script executes in the victim’s browser. This can lead to cookie theft, session hijacking, defacement, or phishing under the victim’s security context.

Affected Systems

The vulnerability affects the "Raisely Donation Form" plugin distributed by Creative Freedom AU. Systems running any version of the plugin through 1.1 are impacted. The plugin is typically installed as a WordPress site component and can be accessed by site contributors and administrators.

Risk and Exploitability

The CVSS score of 6.4 flags medium severity, while the EPSS score of less than 1% indicates a low but non‑zero probability of exploitation. The weakness is not listed in the CISA KEV catalog. Exploitation requires authenticated access at the contributor level or higher, making it an implicit local attack vector. Because the attacker can run scripts in the context of any site visitor, the impact on confidentiality, integrity, or availability can be significant if the malicious code performs credential theft or defacement.

Generated by OpenCVE AI on April 28, 2026 at 01:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Raisely Donation Form to the latest available version (1.2 or newer) which removes the insecure attribute handling.
  • If an upgrade is not immediately possible, restrict use of the raisely_donation_form shortcode to trusted administrators and remove or disable it from all other user roles.
  • Enable WordPress’s built‑in XSS protection by activating the Content Security Policy (CSP) and applying a plugin that sanitizes user input before rendering shortcodes.

Generated by OpenCVE AI on April 28, 2026 at 01:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16084 The Raisely Donation Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's raisely_donation_form shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description The Raisely Donation Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's raisely_donation_form shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The Raisely Donation Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's raisely_donation_form shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Raisely Donation Form <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via raisely_donation_form Shortcode Raisely Donation Form <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via raisely_donation_form Shortcode
References

Wed, 21 May 2025 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 May 2025 09:30:00 +0000

Type Values Removed Values Added
Description The Raisely Donation Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's raisely_donation_form shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Raisely Donation Form <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via raisely_donation_form Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:33:55.032Z

Reserved: 2025-04-17T22:31:06.698Z

Link: CVE-2025-3781

cve-icon Vulnrichment

Updated: 2025-05-21T10:11:52.867Z

cve-icon NVD

Status : Deferred

Published: 2025-05-21T12:16:21.677

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3781

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T01:45:18Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')