CVE-2025-23860 identifies a stored Cross-site Scripting (XSS) vulnerability within the crea8xion Charity-thermometer plugin, a tool used to display donation progress on charity websites. The vulnerability stems from improper neutralization of user-supplied input during web page generation, which allows malicious JavaScript code to be injected and persistently stored within the application. When other users visit affected pages, the malicious script executes in their browsers under the context of the vulnerable site, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the user. The vulnerability affects all versions up to and including 1.1.2, with no patch currently available or linked. Exploitation does not require authentication or user interaction beyond visiting a compromised page, increasing the attack surface. Although no known exploits have been reported in the wild, the nature of stored XSS makes it a critical risk for websites relying on this plugin, particularly those handling user data or financial transactions. The lack of a CVSS score necessitates an assessment based on impact and exploitability, which indicates a high severity due to the potential for widespread compromise and ease of exploitation.

The impact of CVE-2025-23860 is significant for organizations using the crea8xion Charity-thermometer plugin, especially those operating charity or donation websites. Successful exploitation can lead to theft of user credentials, session hijacking, unauthorized actions on behalf of users, and distribution of malware, undermining user trust and potentially causing financial and reputational damage. Since the vulnerability is stored XSS, it can affect any visitor to the compromised site, broadening the scope of impact. Attackers could also use the vulnerability as a foothold to escalate attacks within the organization's network or to target other users. The absence of authentication requirements and the persistent nature of the injected script increase the risk of widespread exploitation. Organizations may face regulatory and compliance consequences if user data is compromised. Overall, the threat poses a high risk to confidentiality, integrity, and availability of affected web applications and their users.

To mitigate CVE-2025-23860, organizations should prioritize the following actions: 1) Monitor for and apply any official patches or updates released by crea8xion as soon as they become available. 2) Implement strict input validation on all user-supplied data to ensure that malicious scripts cannot be injected. 3) Employ robust output encoding and context-aware escaping techniques when rendering user input in web pages to neutralize potentially harmful content. 4) Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 5) Conduct regular security audits and penetration testing focused on XSS vulnerabilities. 6) Educate web developers and administrators on secure coding practices related to input handling. 7) Consider temporarily disabling or replacing the Charity-thermometer plugin if patching is not immediately possible. 8) Monitor web server logs and user reports for signs of suspicious activity or exploitation attempts. These targeted measures go beyond generic advice and address the specific nature of stored XSS in this plugin.