CVE-2025-12020 is a stored cross-site scripting (XSS) vulnerability identified in the Double the Donation plugin for WordPress, a tool designed to facilitate workplace giving and fundraising efforts. The vulnerability affects all versions up to and including 2.0.0. It specifically impacts multisite WordPress installations or those where the unfiltered_html capability is disabled, conditions that restrict direct HTML input but still allow this attack vector. The root cause is insufficient input sanitization and output escaping in the plugin's admin settings interface, allowing an authenticated attacker with administrator-level privileges or higher to inject arbitrary JavaScript code. This malicious script is stored persistently and executed whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or other malicious actions within the WordPress environment. The attack requires the attacker to have elevated privileges (administrator or above), which limits the attack surface but does not eliminate risk, especially in environments with multiple administrators or compromised credentials. The vulnerability has a CVSS v3.1 base score of 4.9, indicating medium severity, with the vector indicating network attack vector, high attack complexity, low privileges required, no user interaction, and a scope change. No public exploits have been reported yet, and no official patches are linked, suggesting that mitigation may currently rely on configuration changes or plugin updates once available. The vulnerability is cataloged under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

For European organizations, the impact of this vulnerability depends largely on the extent of WordPress multisite deployments using the Double the Donation plugin. Organizations involved in fundraising, non-profits, or corporate social responsibility programs that utilize this plugin could face risks of unauthorized script execution within their administrative portals. This can lead to theft of administrative session tokens, unauthorized actions performed on behalf of administrators, or defacement of fundraising pages, potentially damaging reputation and trust. Since the vulnerability requires administrator-level access, the risk is heightened in environments with multiple administrators or where credential compromise is possible. The confidentiality and integrity of administrative data are primarily at risk, while availability impact is minimal. Given the plugin’s niche use case, the overall scope is limited but significant for affected entities. European organizations with strict data protection regulations (e.g., GDPR) must consider the potential for data breaches or unauthorized data manipulation resulting from exploitation. The lack of known exploits reduces immediate risk but should not lead to complacency.

To mitigate CVE-2025-12020, European organizations should first verify if they use the Double the Donation plugin in multisite WordPress environments or have unfiltered_html disabled. Immediate steps include restricting administrator access to trusted personnel and enforcing strong authentication mechanisms such as multi-factor authentication to reduce the risk of credential compromise. Administrators should audit plugin settings for suspicious scripts or unauthorized changes. Until an official patch is released, consider disabling or removing the plugin if feasible, or isolating it in a staging environment. Implement Content Security Policy (CSP) headers to limit the impact of injected scripts. Regularly update WordPress core and all plugins to the latest versions, monitoring vendor announcements for patches addressing this vulnerability. Additionally, conduct security training for administrators to recognize and prevent malicious configuration changes. Employ web application firewalls (WAFs) with rules targeting XSS payloads to provide an additional layer of defense. Finally, monitor logs for unusual administrative activity and conduct periodic security assessments of WordPress installations.