A stored cross-site scripting vulnerability in the Donation Thermometer WordPress plugin allows attackers to inject malicious scripts that execute in the browsers of site visitors. The flaw is an improper neutralization of input during web page generation (CWE‑79), enabling an attacker to steal session cookies, hijack accounts, deface content, or execute arbitrary client‑side code. The CVSS score of 6.5 reflects a moderate severity, indicating meaningful impact if exploited.

The vulnerable product is the WordPress Donation Thermometer plugin from publisher rhewlif, affecting all releases from the first version up to and including 2.2.6. Any WordPress installation that has this plugin installed at a version 2.2.6 or older is susceptible to the stored XSS flaw.

The EPSS score of less than 1% suggests that, at present, the likelihood of this vulnerability being actively exploited is low, and the issue is not listed in CISA's KEV catalog. However, because the flaw permits execution of arbitrary script in the context of any site visitor, the potential impact on confidentiality and integrity is high if an attacker has the capability to inject data—such as an administrator account or a vulnerable user‑input form. The attack vector is inferred to be through unsanitized input fields that store data for display, which can be exploited by submitting malicious content that is later rendered to all page visitors.