CVE-2025-58842

The Wordpress plugin Donation Forms WP by Givecloud versions up to and including 1.0.9 contain an Improper Neutralization of Input During Web Page Generation vulnerability (Cross-site Scripting). The plugin fails to properly sanitize or escape user inputs when generating web pages, leading to a stored XSS flaw [1]. This means an attacker can inject arbitrary HTML and JavaScript code that persists on the server and is executed in the browsers of other users.

Exploitation requires a privileged user (e.g., an administrator) to interact with a crafted link, page, or form that triggers the injection [1]. While user interaction is needed for initial payload delivery, the malicious script then runs automatically for any site visitor, enabling broader impact. The attack surface is limited to authenticated users with sufficient privileges, but the stored nature of the XSS means a single successful injection can affect all subsequent site visitors.

A successful attack could allow a malicious actor to inject scripts that perform redirects, display advertisements, steal session cookies, or execute other HTML payloads when guests visit the compromised site [1]. This could lead to unauthorized actions, data theft, or further compromise of the WordPress installation.

The vendor has resolved the issue in version 1.0.10. Users are strongly advised to update the plugin to 1.0.10 or later [1]. For sites unable to update immediately, enabling auto-updates or seeking assistance from a hosting provider is recommended as a workaround [1].