The Charitable – Donation Plugin for WordPress (up to version 1.8.6.1) contains a stored cross-site scripting vulnerability (CWE-79) in the privacy settings fields due to inadequate input sanitization and output escaping. This allows authenticated users with administrator privileges to inject arbitrary web scripts that execute when other users access the affected pages. This vulnerability specifically affects multi-site WordPress installations or those where the unfiltered_html capability is disabled. The vulnerability was partially fixed in version 1.8.6.1 and fully fixed in version 1.8.6.2. The CVSS 3.1 base score is 4.4, reflecting a medium severity with network attack vector, high attack complexity, and requiring high privileges but no user interaction. No public exploits have been reported.

Successful exploitation allows an authenticated administrator on affected WordPress multi-site installations or with unfiltered_html disabled to inject persistent malicious scripts into pages. This can lead to limited confidentiality and integrity impacts, such as executing arbitrary scripts in the context of other users. The vulnerability does not affect availability. The medium CVSS score (4.4) reflects these limited impacts and the requirement for high privileges and complex attack conditions.

The vulnerability is fully fixed in Charitable plugin version 1.8.6.2. Users should upgrade to version 1.8.6.2 or later to remediate this issue. Versions up to and including 1.8.6.1 are vulnerable, with only a partial fix applied in 1.8.6.1. No other mitigations are indicated by the vendor advisory. Patch status is confirmed by the version history described in the advisory.