The Simple Donate plugin for WordPress, developed by ethoseo, suffers from a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-11882. This vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. Specifically, the plugin's simpledonate shortcode fails to properly sanitize and escape user-supplied attributes, allowing malicious scripts to be stored in the website's content. Attackers with at least contributor-level access can exploit this flaw by injecting arbitrary JavaScript code into pages rendered by the plugin. When other users, including administrators or visitors, access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, defacement, or further exploitation of the site. The vulnerability affects all versions up to and including 1.0 of the plugin. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low complexity, privileges required, no user interaction, and a scope change due to impact on other components. Although no public exploits are known at this time, the vulnerability poses a significant risk given the widespread use of WordPress and the plugin's role in donation processing. The lack of available patches necessitates immediate attention to alternative mitigations.

This vulnerability allows attackers with contributor-level access to inject persistent malicious scripts into WordPress sites using the Simple Donate plugin. The impact includes potential theft of user credentials, session tokens, or other sensitive information through script execution in victim browsers. It can also facilitate unauthorized actions on behalf of users, including administrators, leading to privilege escalation or site defacement. The integrity of website content can be compromised, damaging organizational reputation and trust. While availability is not directly affected, the indirect consequences of exploitation, such as blacklisting by search engines or loss of user confidence, can have operational impacts. Organizations relying on this plugin for donation processing may face financial and reputational risks if exploited. The medium CVSS score reflects these moderate but significant impacts, especially given the ease of exploitation by authenticated users and the scope of effect on multiple users.

Organizations should immediately audit their WordPress installations to identify the presence of the Simple Donate plugin and its version. Since no official patch is currently available, administrators should consider temporarily disabling or uninstalling the plugin to eliminate exposure. Restrict contributor-level and higher privileges to trusted users only, minimizing the risk of malicious input. Implement Web Application Firewall (WAF) rules to detect and block suspicious script payloads in shortcode attributes. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Regularly monitor site content for unauthorized changes or injected scripts. Educate content contributors about safe input practices and the risks of injecting untrusted code. Once a vendor patch is released, promptly apply updates. Additionally, consider using security plugins that provide input sanitization and output escaping enhancements for shortcodes and user-generated content.