Description
The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the privacy settings fields in all versions up to, and including, 1.8.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
This issue was partially fixed in version 1.8.6.1 and fully fixed in version 1.8.6.2.
Published: 2025-06-26
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS (Authenticated Administrative)
Action: Patch Now
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw within the privacy settings fields of the Charitable WordPress plugin. Because input sanitization and output escaping are insufficient, an attacker who has administrator privileges can embed arbitrary JavaScript. This weakness aligns with CWE-79, Cross‑Site Scripting. When an end‑user visits the affected page, the script executes in the user’s browser, potentially allowing data theft, session hijacking, or defacement. The flaw is confined to stored data and does not require user interaction beyond loading the page.

Affected Systems

This issue affects installations of the Charitable plugin for WordPress (smub:Charitable) up to and including version 1.8.6.1. Only multi‑site WordPress environments that have the unfiltered_html feature disabled are vulnerable. The problem was partially addressed in 1.8.6.1 and fully resolved in 1.8.6.2.

Risk and Exploitability

The CVSS score of 4.4 indicates a medium impact, and the EPSS score of less than 1 % signals a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting no documented exploitation yet. Attackers must first authenticate as an administrator, then input malicious code into the privacy settings; there are no public exploits known, so the risk is moderate but low in terms of current exploitability.

Generated by OpenCVE AI on April 22, 2026 at 01:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Charitable plugin to version 1.8.6.2 or later to remove the vulnerable code paths.
  • After upgrading, check all privacy setting entries for residual or injected scripts and delete them if present.
  • Re‑audit the WordPress environment to ensure no other plugins or custom code introduce similar stored XSS vulnerabilities.

Generated by OpenCVE AI on April 22, 2026 at 01:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28457 The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the privacy settings fields in all versions up to, and including, 1.8.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. This issue was partially fixed in version 1.8.6.1 and fully fixed in version 1.8.6.2.
History

Mon, 07 Jul 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Wpbeginner
Wpbeginner charitable
CPEs cpe:2.3:a:wpbeginner:charitable:*:*:*:*:-:wordpress:*:*
Vendors & Products Wpbeginner
Wpbeginner charitable

Thu, 26 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Jun 2025 03:00:00 +0000

Type Values Removed Values Added
Description The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the privacy settings fields in all versions up to, and including, 1.8.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. This issue was partially fixed in version 1.8.6.1 and fully fixed in version 1.8.6.2.
Title Charitable <= 1.8.6.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin's Privacy Settings
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wpbeginner Charitable
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:49:32.375Z

Reserved: 2025-05-27T13:37:54.171Z

Link: CVE-2025-5275

cve-icon Vulnrichment

Updated: 2025-06-26T13:23:36.700Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-26T03:15:23.860

Modified: 2025-07-08T11:32:22.210

Link: CVE-2025-5275

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:15:07Z

Weaknesses