Charitable < 1.8.5.2 – Authenticated (Administrator+) Stored Cross-Site Scripting | CVE 2025-47520 | Plugin Vulnerabilities

Description

The Charitable plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.8.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Fixed in 1.8.5.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/161c2365-932f-44d0-a76c-4aeb01f9379c

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Nabil Irawan

Verified

No

WPVDB ID

7788d3bb-d96b-4c32-b99a-cff0f222dcff

Timeline

Publicly Published

2025-05-07 (about 1 year ago)

Added

2025-05-13 (about 1 year ago)

Last Updated

2025-05-13 (about 1 year ago)

Other

Published

Title

Published

2021-09-10

Title

Appointment Hour Booking – WordPress Booking Plugin < 1.3.17 - Authenticated Stored XSS

Published

2022-08-16

Title

Affiliates Manager < 2.9.14 - Admin+ Stored Cross-Site Scripting

Published

2015-05-12

Title

Artificial Intelligence Theme <= 1.2.3 - DOM Cross-Site Scripting (XSS)

Published

2025-01-16

Title

Add custom content after post <= 1.0 - Reflected Cross-Site Scripting

Published

2023-02-20

Title

Shipyaari Shipping Management <= 1.0 - Admin+ Stored XSS