The Charitable – Donation Plugin for WordPress (up to version 1.8.3) suffers from a reflected cross-site scripting vulnerability due to improper neutralization of input during web page generation. Specifically, the plugin uses add_query_arg and remove_query_arg functions without appropriate escaping on URL parameters, enabling attackers to inject arbitrary web scripts. This vulnerability can be exploited by unauthenticated attackers who trick users into clicking malicious links, resulting in script execution within the victim's browser context. The CVSS 3.1 score is 6.1 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and partial impact on confidentiality and integrity. No known exploits in the wild or vendor patches have been reported as of the publication date.

Successful exploitation allows an unauthenticated attacker to execute arbitrary scripts in the context of a user's browser when they interact with a crafted URL. This can lead to partial disclosure of confidential information and modification of data within the affected web application context. There is no impact on availability. The vulnerability requires user interaction (clicking a link) and affects all versions up to and including 1.8.3 of the plugin.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should exercise caution with links related to the Charitable plugin and consider implementing web application firewall (WAF) rules to detect and block reflected XSS attempts targeting this plugin. Monitoring for updates from the vendor or trusted security sources is recommended to apply patches promptly once available.