CVE-2025-12020 is a stored cross-site scripting vulnerability (CWE-79) in the Double the Donation WordPress plugin up to version 3.0.0. It occurs due to improper neutralization of input during web page generation in the plugin's admin settings. Authenticated attackers with administrator privileges can inject arbitrary web scripts that execute when other users view the affected pages. This vulnerability specifically impacts multi-site WordPress installations or those with unfiltered_html disabled, limiting the attack surface. The CVSS 3.1 base score is 4.9, reflecting medium severity with network attack vector, high attack complexity, low privileges required, no user interaction, and partial confidentiality and integrity impact.

An attacker with administrator-level permissions can inject malicious scripts into the plugin's admin settings, which will execute in the context of users viewing the affected pages. This can lead to partial confidentiality and integrity impacts, such as theft of sensitive information or unauthorized actions performed on behalf of users. The vulnerability does not affect availability. The attack complexity is high, and exploitation requires authenticated access with elevated privileges, limiting the scope of potential attackers.

No official patch or fix is currently documented for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict administrator access to trusted users only and consider disabling or removing the plugin in multi-site environments or where unfiltered_html is disabled. Monitor for updates from the vendor or WordPress plugin repository to apply any forthcoming patches promptly.