The vulnerability allows an attacker to embed JavaScript that is stored in the donation form data and subsequently displayed to site visitors. Because the plugin does not neutralize user‑supplied input before rendering it, an attacker can exploit the input‑validation weakness (CWE‑79) to execute arbitrary scripts in the context of any user who views the affected page, potentially enabling session hijacking, credential theft, defacement, or the execution of secondary payloads.

Any WordPress site that has the Givecloud Donation Forms WP plugin version 1.0.9 or earlier installed is affected. The issue is tied to the plugin’s donation‑form interface, so any site components that present or store content through this interface are vulnerable. No sub‑version details are supplied.

The CVSS score of 6.5 denotes a moderate severity, while the EPSS score of less than 1 % signals that active exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to inject malicious input via an account that can edit or manage donation forms (e.g., site administrator or any role with form‑editing privileges). The injected script is then delivered to other visitors, affecting them while the page is rendered. Users with higher privileges on the site may also be at risk if they view administrative views containing the injected content.