CVE-2025-32637 is a stored cross-site scripting (XSS) vulnerability identified in the WP Donate plugin developed by ketanajani, affecting all versions up to and including 2.0. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing attackers to inject malicious JavaScript code that is stored persistently on the affected site. When other users or administrators view the compromised pages, the injected scripts execute in their browsers within the context of the vulnerable site, potentially leading to session hijacking, credential theft, unauthorized actions, or distribution of malware. Stored XSS is particularly dangerous because the malicious payload remains on the server and is served to multiple users without requiring repeated attacker interaction. The vulnerability does not require authentication, making it accessible to unauthenticated attackers, and no user interaction beyond visiting the infected page is necessary to trigger the exploit. Although no known exploits have been reported in the wild as of the publication date, the flaw represents a significant risk to websites using WP Donate, a plugin commonly employed to facilitate donations on WordPress sites. The absence of a CVSS score indicates that the vulnerability is newly disclosed and pending further assessment. The vulnerability was reserved and published in April 2025, with no patches or mitigations officially released yet. This vulnerability highlights the importance of secure input handling and output encoding in web applications, especially plugins that handle user-generated content.

The impact of CVE-2025-32637 on organizations worldwide can be substantial, especially for those relying on WP Donate to manage online donations. Successful exploitation can lead to the compromise of user sessions, theft of sensitive information such as login credentials or personal data, and unauthorized actions performed on behalf of legitimate users. Additionally, attackers could deface websites or use the vulnerability to distribute malware, damaging organizational reputation and trust. Nonprofits, charities, and other organizations that depend on donation plugins are particularly vulnerable, as attackers may exploit the trust relationship to target donors. The vulnerability affects the confidentiality and integrity of data and can also impact availability if attackers use the exploit to inject disruptive scripts. Since the vulnerability requires no authentication and minimal user interaction, the attack surface is broad, increasing the likelihood of exploitation once a public exploit becomes available. Organizations that do not promptly address this vulnerability risk data breaches, financial fraud, and reputational harm.

To mitigate the risks posed by CVE-2025-32637, organizations should take several specific actions beyond generic advice: 1) Monitor the WP Donate plugin vendor’s official channels for patches or updates addressing this vulnerability and apply them immediately upon release. 2) In the interim, implement strict input validation and sanitization on all user-supplied data fields related to the plugin, ensuring that scripts and HTML tags are properly escaped or removed before storage or rendering. 3) Deploy a robust Content Security Policy (CSP) that restricts the execution of inline scripts and limits sources of executable code to trusted domains, reducing the impact of any injected scripts. 4) Conduct a thorough audit of existing content managed by WP Donate to identify and remove any potentially malicious scripts that may have been injected prior to mitigation. 5) Employ Web Application Firewalls (WAFs) with rules designed to detect and block XSS attack patterns targeting the plugin. 6) Educate site administrators and users about the risks of XSS and encourage vigilance when reviewing user-generated content. 7) Consider temporarily disabling the WP Donate plugin if immediate patching is not possible and if the donation functionality is not critical, to reduce exposure. These measures collectively reduce the likelihood and impact of exploitation until a permanent fix is applied.