CVE-2025-67550

The Donation Thermometer plugin for WordPress, versions 2.2.6 and earlier, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an attacker with a low-privileged role (such as a subscriber) to inject arbitrary JavaScript or HTML into the plugin's output, which is then stored and executed in the context of any visitor's browser [1].

Exploitation requires a privileged user to perform an action, such as visiting a crafted page or submitting a form [1]. However, once the malicious payload is stored, it automatically executes when other users load the affected page, making the attack effective even without direct interaction from the victim [1].

Successful exploitation enables an attacker to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website [1]. These scripts execute in the browser of every visitor, potentially leading to data theft, defacement, or further compromise of the site and its users [1].

The vendor has released version 2.2.7 which resolves the vulnerability by properly sanitizing user input [1]. Users are strongly advised to update immediately or enable auto-updates if using Patchstack. While the issue is rated as medium severity (CVSS 6.5), prompt remediation is recommended to prevent exploitation in mass campaigns targeting thousands of WordPress sites [1].