WordPress Plugin Vulnerabilities

Charitable - Donation Plugin < 1.6.51 - Unauthenticated Stored Cross-Site Scripting

Description

While fixing an Authenticated Stored Cross-Site Scripting issue (https://wpscan.com/vulnerability/a5837621-ee6e-4876-9f65-82658fc0341f), the vendor identified another Cross-Site Scripting issue, which could be exploited by unauthenticated users and would be triggered in the context of a logged in admin

Proof of Concept

Affects Plugins

Plugin icon
charitable
Fixed in 1.6.51

References

URL
https://plugins.trac.wordpress.org/changeset/2565878/charitable
URL
https://www.wpcharitable.com/release-notes-1-6-51/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.1 (high)

Miscellaneous

Original Researcher
Eric Daams
Verified
Yes
WPVDB ID
e3b23f22-d019-4e20-a238-0feb59a5760f

Timeline

Publicly Published
2021-07-21 (about 4 years ago)
Added
2021-07-21 (about 4 years ago)
Last Updated
2021-08-10 (about 4 years ago)

Other

Published
Title
Published
2025-04-02
Title
Lexicata <= 1.0.16 - Reflected Cross-Site Scripting
Published
2025-03-19
Title
WP Database Audit <= 1.0 - Reflected Cross-Site Scripting
Published
2023-12-22
Title
Divi < 4.23.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2025-01-16
Title
Vampire Character Manager <= 2.13 - Reflected Cross-Site Scripting
Published
2024-09-26
Title
Absolute Reviews < 1.1.4 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Criteria Name