The Philantro – Donations and Donor Management plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2024-13527. This vulnerability is due to improper neutralization of input during web page generation (CWE-79), specifically insufficient sanitization and output escaping of user-supplied attributes in plugin shortcodes like 'donate'. The flaw affects all versions up to and including 5.3. Authenticated attackers with contributor-level privileges or higher can exploit this by injecting arbitrary JavaScript code into pages via shortcode attributes. When other users access these pages, the malicious scripts execute in their browsers, potentially allowing attackers to hijack sessions, steal cookies, perform actions on behalf of users, or redirect victims to malicious sites. The vulnerability does not require user interaction beyond page access and has a network attack vector with low complexity. The scope is changed because the vulnerability affects multiple users who view the infected content. The CVSS 3.1 base score is 6.4, indicating medium severity with partial confidentiality and integrity impact but no availability impact. No patches or fixes are currently linked, and no known exploits are reported in the wild. The vulnerability is particularly concerning for websites relying on the Philantro plugin for donation management, as attackers with contributor access can leverage this to escalate their impact. The vulnerability highlights the importance of proper input validation and output encoding in WordPress plugins handling user-generated content.

This vulnerability can have significant impacts on organizations using the Philantro plugin for managing donations and donors. Exploitation allows attackers with contributor-level access to inject persistent malicious scripts, which execute in the browsers of any users visiting the infected pages. This can lead to session hijacking, theft of sensitive information such as authentication cookies, unauthorized actions performed on behalf of users, and potential redirection to phishing or malware sites. While availability is not directly affected, the integrity and confidentiality of user data and site content are compromised. For organizations handling donor information and financial transactions, this can result in reputational damage, loss of donor trust, and potential regulatory consequences if personal data is exposed. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but contributor-level permissions are common in many WordPress sites, increasing the attack surface. The vulnerability also poses risks for site administrators and editors who may unknowingly trigger malicious scripts. Given the widespread use of WordPress and donation plugins, the scope of affected systems is broad, especially for nonprofits and charities relying on this plugin.

Organizations should immediately review user roles and permissions to limit contributor-level access only to trusted users. Implement strict input validation and output encoding for all user-supplied data, especially within shortcode attributes. Monitor and audit plugin usage and shortcode content for suspicious or unexpected scripts. Since no official patch is currently available, consider temporarily disabling the Philantro plugin or removing shortcode usage until a fix is released. Employ Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting shortcode parameters. Educate site administrators and content editors about the risks of XSS and the importance of cautious content management. Regularly update WordPress core and all plugins to their latest versions once patches are released. Additionally, implement Content Security Policy (CSP) headers to restrict script execution sources, mitigating the impact of injected scripts. Conduct periodic security assessments and penetration testing focusing on user input handling in plugins.