CVE-2025-24535 is a Reflected Cross-site Scripting (XSS) vulnerability identified in the SKT Donation plugin developed by sonalsinha21, affecting all versions up to and including 1.9. The vulnerability stems from improper neutralization of input during web page generation, meaning that user-supplied data is not correctly sanitized or encoded before being included in the HTML output. This flaw allows an attacker to craft malicious URLs containing executable JavaScript code that, when visited by a victim, runs in the victim's browser under the context of the vulnerable website. This can lead to theft of session cookies, redirection to malicious sites, or unauthorized actions performed on behalf of the user. The vulnerability is classified as reflected XSS because the malicious script is reflected off the web server in the response to a crafted request, requiring the victim to click a specially crafted link. No authentication is required to exploit this vulnerability, increasing its risk profile. Although no public exploits or active attacks have been reported, the widespread use of WordPress and donation plugins makes this a notable risk. The lack of a CVSS score indicates that the vulnerability is newly published and pending detailed scoring, but the nature of reflected XSS vulnerabilities typically poses a high risk to confidentiality and integrity of user data. The absence of patches at the time of publication necessitates immediate mitigation steps such as input validation, output encoding, and user awareness.

The primary impact of CVE-2025-24535 is on the confidentiality and integrity of user data interacting with affected SKT Donation plugin instances. Successful exploitation can lead to session hijacking, allowing attackers to impersonate legitimate users and potentially access sensitive donation or user account information. Attackers may also perform unauthorized actions on behalf of users, such as changing donation details or redirecting users to phishing sites, undermining trust in the affected organizations. The availability impact is generally low but could be indirectly affected if attackers deface the site or cause disruptions through malicious scripts. Organizations relying on SKT Donation for fundraising or donation management may suffer reputational damage and loss of donor confidence. Since the vulnerability requires user interaction (clicking a malicious link), the scope of impact depends on the ability of attackers to lure victims. However, given the plugin’s use in charitable and nonprofit sectors, the threat could affect a wide range of organizations globally, especially those with public-facing donation portals.

1. Monitor the vendor’s official channels for patches or updates addressing CVE-2025-24535 and apply them promptly once available. 2. Implement strict input validation on all user-supplied data, ensuring that inputs are sanitized to remove or encode characters that could be interpreted as executable code. 3. Apply context-appropriate output encoding (e.g., HTML entity encoding) before reflecting any user input in web pages to prevent script execution. 4. Use Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of potential XSS attacks. 5. Educate users and staff about the risks of clicking suspicious links, especially those related to donation requests or campaigns. 6. Employ web application firewalls (WAFs) with rules designed to detect and block reflected XSS attack patterns targeting the SKT Donation plugin. 7. Conduct regular security audits and penetration testing focusing on input handling and output rendering in donation-related web applications. 8. Consider temporarily disabling or replacing the SKT Donation plugin with a more secure alternative if immediate patching is not feasible.