Improper neutralization of input in the Total Donations plugin causes a reflected cross‑site scripting vulnerability, allowing an attacker to inject malicious scripts into a page that a victim will view. When a user interacts with a donation form or visits a crafted link, the script executes in the browser of any user who sees the affected page, which can lead to data theft, session hijacking, or defacement of the site. This weakness is classified as CWE‑79 and requires user interaction for exploitation.

WordPress sites running the binti76 Total Donations plugin version 3.0.8 or earlier are affected. Any installation that has not upgraded past 3.0.8 remains vulnerable, regardless of other plugins or themes.

The CVSS score of 7.1 denotes medium to high severity, and the EPSS score of less than 1% indicates a very low likelihood of exploitation. The vulnerability is not currently listed in the CISA KEV catalog, suggesting it has not been widely targeted yet. Exploitation typically requires a malicious link or input that triggers the plugin to echo user data back to the page; thus an attacker must persuade a user to click or submit data. Because the flaw is a reflected XSS, patching it is the most effective mitigation, and users should prioritize updating the plugin.