CVE-2025-23670

Vulnerability

Description The 4 author cheer up donate plugin for WordPress, versions up to and including 1.3, contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This flaw exists in the plugin's handling of request parameters, which are reflected back to users without proper sanitization or output encoding [1].

Exploitation

Conditions Exploitation requires user interaction: an attacker must trick a privileged user (e.g., an administrator) into clicking a crafted link, visiting a malicious page, or submitting a specially prepared form. The attack is reflected, meaning the payload is delivered via a URL and executed in the context of the victim's session [1].

Potential

Impact Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript code into the affected site. This can be used to redirect visitors to malicious websites, display unwanted advertisements, steal session cookies, or perform other actions within the security context of the victim user's session. The CVSS v3 score is 7.1 (High), and the vulnerability is considered likely to be exploited in mass campaigns [1].

Mitigation

Status As of the publication date, no official patch has been released for the plugin. Affected users are advised to update the plugin when a fix becomes available or contact their hosting provider for assistance. Patchstack has reportedly issued a virtual mitigation rule to block attacks until an official patch can be applied [1].