Charitable – Donation Plugin < 1.6.51 – Authenticated Stored Cross-Site Scripting (XSS) | CVE 2021-24531

Description

The plugin is affected by an authenticated stored cross-site scripting vulnerability which was found in the add donation feature.

Proof of Concept

1. Go to /wp-admin/edit.php?post_type=donation
2. Add new donation
3. In the first or last name forms, add the XSS payload
4. Save and the XSS payload will be executed

Affects Plugins

charitable

Fixed in 1.6.51

References

CVE

CVE-2021-24531

URL

https://www.wpcharitable.com/release-notes-1-6-51/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.8 (low)

Miscellaneous

Original Researcher

Muhammad Daffa

Submitter

Muhammad Daffa

Submitter website

https://daffa.tech

Submitter twitter

daffainfo

Verified

Yes

WPVDB ID

a5837621-ee6e-4876-9f65-82658fc0341f

Timeline

Publicly Published

2021-07-21 (about 4 years ago)

Added

2021-07-21 (about 4 years ago)

Last Updated

2023-01-24 (about 2 years ago)

Other

Published

Title

Published

2025-10-23

Title

Simple Pull Quote < 1.6.4 - Contributor+ Stored XSS

Published

2025-10-21

Title

ST Categories Widget <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-05-23

Title

Page Builder: Pagelayer – Drag and Drop website builder < 2.0.1 - Reflected Cross-Site Scripting via login_url Parameter

Published

2025-01-10

Title

SlideDeck 1 Lite Content Slider <= 1.4.8 - Reflected XSS

Published

2014-08-01

Title

Schreikasten 0.14.13 - wp-admin/admin-ajax.php Multiple Parameter XSS