CVE-2025-43837

Vulnerability

Description CVE-2025-43837 is a reflected Cross-Site Scripting (XSS) vulnerability in the Total Donations plugin for WordPress, affecting versions from n/a through 3.0.8. The issue arises from improper neutralization of input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript code into the page [1].

Exploitation

This reflected XSS vulnerability requires user interaction, such as clicking a malicious link or visiting a specially crafted URL. A privileged user (e.g., an administrator) must perform an action like clicking the link for the attack to succeed, though the impact can affect all site visitors [1].

Impact

Successful exploitation enables the attacker to inject malicious scripts that can execute in the context of the victim's browser. This can lead to redirects, displaying advertisements, stealing session cookies, or other actions that compromise the integrity of the website and its users [1].

Mitigation

The vulnerability has been patched in version 3.0.9. Users are strongly advised to update to the latest version immediately. For those unable to update, mitigation rules from security plugins like Patchstack may provide temporary protection until the patch is applied [1].