CVE-2025-12643 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Saphali LiqPay for donate plugin for WordPress, present in all versions up to and including 1.0.2. The vulnerability stems from improper neutralization of user-supplied input during web page generation, specifically within the 'saphali_liqpay' shortcode attributes. Authenticated users with contributor-level access or higher can inject arbitrary JavaScript code that is stored persistently and executed in the context of any user visiting the affected page. This occurs because the plugin fails to adequately sanitize and escape input before rendering it on pages, violating CWE-79 standards. The CVSS 3.1 base score is 6.4, reflecting a medium severity level with an attack vector over the network, low attack complexity, privileges required at the contributor level, no user interaction needed, and a scope change indicating that the vulnerability affects components beyond the initially vulnerable plugin. The impact includes potential confidentiality and integrity breaches, such as session hijacking, defacement, or unauthorized actions performed on behalf of users. No patches or official fixes are currently linked, and no exploits have been reported in the wild, but the vulnerability poses a significant risk in environments where contributors can add shortcode content. The vulnerability is particularly relevant for WordPress sites accepting donations via LiqPay, a payment system popular in certain regions. The technical details confirm the vulnerability was reserved and published in early November 2025, with Wordfence as the assigner.

For European organizations, this vulnerability can lead to unauthorized script execution within their WordPress sites, potentially compromising user sessions, stealing sensitive information, or enabling further attacks such as privilege escalation or phishing. Organizations relying on the Saphali LiqPay for donate plugin for processing donations or payments are at risk of reputational damage and financial fraud. Since the attack requires contributor-level access, insider threats or compromised contributor accounts increase risk. The scope change in the CVSS vector suggests that the vulnerability can affect components beyond the plugin itself, potentially impacting the broader WordPress environment. Given the widespread use of WordPress across Europe, especially among NGOs, charities, and small to medium enterprises that accept donations online, the impact could be significant if exploited. However, the absence of known exploits in the wild and the medium severity score indicate that immediate widespread damage is unlikely but vigilance is necessary.

European organizations should immediately audit user roles and permissions to ensure that contributor-level access is granted only to trusted users. Implement strict input validation and output escaping for any shortcode attributes, either by applying vendor patches when available or by custom development to sanitize inputs. Monitor and review all pages using the 'saphali_liqpay' shortcode for suspicious content or injected scripts. Employ Web Application Firewalls (WAFs) with rules targeting XSS payloads specific to this plugin’s context. Regularly update WordPress core and plugins, and subscribe to security advisories from the plugin vendor and WordPress security communities. Consider temporarily disabling the plugin or restricting its usage until a patch is released. Educate content contributors about secure content practices and the risks of injecting untrusted code. Finally, implement Content Security Policy (CSP) headers to limit the impact of any potential script injection.