The Saphali LiqPay for donate plugin for WordPress suffers from a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-12643. This vulnerability is due to improper neutralization of input during web page generation (CWE-79). Specifically, the plugin fails to adequately sanitize and escape user-supplied attributes passed via the 'saphali_liqpay' shortcode, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code. When other users access pages containing the injected shortcode, the malicious scripts execute in their browsers, potentially leading to session hijacking, defacement, or unauthorized actions performed on behalf of the victim. The vulnerability is exploitable remotely over the network without requiring user interaction, and the attack complexity is low since it only requires contributor-level authentication, which is common in many WordPress environments. The CVSS 3.1 base score is 6.4, reflecting a medium severity with partial confidentiality and integrity impacts but no availability impact. No public exploits have been reported yet, but the vulnerability poses a significant risk to websites using this plugin, especially those accepting contributions from multiple users. The lack of a patch at the time of reporting means mitigation must focus on access control and input validation until an official fix is released.

The vulnerability allows authenticated contributors or higher to inject persistent malicious scripts into WordPress pages, which execute in the context of any user visiting those pages. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and potential defacement or misinformation. For organizations, this undermines the confidentiality and integrity of their web applications and user data, potentially damaging reputation and trust. Since the attack requires contributor-level access, environments with multiple content editors or less stringent access controls are at higher risk. The absence of availability impact means the website remains operational, but the security breach can facilitate further attacks or data exfiltration. Given the widespread use of WordPress and donation plugins, many organizations worldwide could be affected, especially non-technical users who may not detect the injected scripts. The medium severity score reflects these moderate but impactful risks.

1. Immediately restrict contributor-level access to trusted users only, minimizing the risk of malicious shortcode injection. 2. Implement strict input validation and sanitization on all user-supplied shortcode attributes, ensuring that only expected data types and formats are accepted. 3. Apply output encoding/escaping on shortcode attributes before rendering them in pages to prevent script execution. 4. Monitor and audit content created by contributors for suspicious or unexpected scripts or HTML tags. 5. Disable or remove the Saphali LiqPay for donate plugin until an official patch is released. 6. Employ Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting shortcode parameters. 7. Educate content editors about the risks of injecting untrusted content and enforce least privilege principles. 8. Keep WordPress core, themes, and plugins updated to reduce exposure to known vulnerabilities. 9. After patch availability, promptly update the plugin to the fixed version. 10. Consider implementing Content Security Policy (CSP) headers to limit the impact of injected scripts.