Description
Cross-Site Request Forgery (CSRF) vulnerability in loopus WP Attractive Donations System wp-attractive-donations-system-easy-stripe-paypal-donations allows Stored XSS.This issue affects WP Attractive Donations System: from n/a through < 1.29.
Published: 2025-09-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a CSRF flaw in the WP Attractive Donations System plugin, allowing an attacker to forge authenticated requests on behalf of a logged-in user and potentially inject malicious content that may persist as stored XSS. This weakness can lead to unauthorized changes, data manipulation, and content compromise on the affected WordPress site.

Affected Systems

Loopus' WP Attractive Donations System plugin versions prior to 1.29, specifically all releases from the initial release (n/a) through < 1.29, are affected. WordPress sites installing these plugin versions are vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, while the EPSS score of <1% suggests a low current exploit probability. The vulnerability is not listed in CISA KEV, implying no confirmed widespread exploitation yet. Based on the description, the likely attack vector is a malicious link or form that forces a victim’s browser to submit privileged requests to the site, exploiting the missing anti-CSRF token. Successful exploitation could lead to unauthorized administrative actions or permanent content injection.

Generated by OpenCVE AI on April 30, 2026 at 00:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Attractive Donations System plugin to version 1.29 or later, which is confirmed to contain the CSRF fix.
  • If an immediate upgrade is not feasible, temporarily deactivate the plugin until a patched version is available to prevent exploitation.
  • Implement or verify that all state-changing actions in the site employ a robust anti-CSRF token mechanism, and review input handling to mitigate any residual XSS risk.

Generated by OpenCVE AI on April 30, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30490 Cross-Site Request Forgery (CSRF) vulnerability in loopus WP Attractive Donations System allows Stored XSS. This issue affects WP Attractive Donations System: from n/a through n/a.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in loopus WP Attractive Donations System allows Stored XSS. This issue affects WP Attractive Donations System: from n/a through n/a. Cross-Site Request Forgery (CSRF) vulnerability in loopus WP Attractive Donations System wp-attractive-donations-system-easy-stripe-paypal-donations allows Stored XSS.This issue affects WP Attractive Donations System: from n/a through < 1.29.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in loopus WP Attractive Donations System allows Stored XSS. This issue affects WP Attractive Donations System: from n/a through n/a.
Title WordPress WP Attractive Donations System Plugin < 1.29 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:50.408Z

Reserved: 2025-09-06T04:45:02.777Z

Link: CVE-2025-58956

cve-icon Vulnrichment

Updated: 2025-09-23T20:37:38.182Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:21.730

Modified: 2026-04-23T15:33:56.673

Link: CVE-2025-58956

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:30:23Z

Weaknesses