CVE-2025-58999 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin 'WP Attractive Donations System - Easy Stripe & Paypal donations' developed by loopus, affecting all versions up to and including 1.25. CSRF vulnerabilities occur when a web application does not sufficiently verify that requests made to it originate from legitimate users, allowing attackers to craft malicious web pages that trigger unintended actions on behalf of authenticated users. In this case, the plugin lacks proper CSRF protections, enabling attackers to cause authenticated administrators or users with sufficient privileges to unknowingly perform actions such as modifying donation settings or initiating donation transactions via Stripe or PayPal. The vulnerability does not require prior authentication beyond the victim being logged in, and no user interaction beyond visiting a malicious site is necessary. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk given the financial nature of the plugin's functionality. The absence of a CVSS score indicates that the vulnerability is newly published and has not yet been fully assessed. The plugin is commonly used by organizations to facilitate donations, making the integrity and availability of its operations critical. The vulnerability was reserved in September 2025 and published in December 2025, with no patches currently available, highlighting the urgency for mitigation measures.

For European organizations, particularly nonprofits, charities, and fundraising platforms relying on the WP Attractive Donations System plugin, this vulnerability could lead to unauthorized manipulation of donation processes. Attackers could initiate fraudulent donation transactions, alter donation settings, or disrupt the donation flow, potentially causing financial losses, reputational damage, and loss of donor trust. The integrity of donation data could be compromised, and availability of donation services may be affected if attackers exploit the vulnerability to disrupt operations. Since Stripe and PayPal are widely used payment gateways in Europe, misuse of these integrations could have direct financial implications. Organizations with limited cybersecurity resources or delayed patching processes are at higher risk. Additionally, regulatory compliance concerns, such as GDPR, may arise if donor data integrity or confidentiality is impacted. The threat is particularly relevant for European countries with large nonprofit sectors and high WordPress adoption rates.

Organizations should immediately audit their use of the WP Attractive Donations System plugin and restrict administrative access to trusted personnel only. Until an official patch is released, implement web application firewall (WAF) rules to detect and block suspicious CSRF attack patterns targeting donation-related endpoints. Enforce multi-factor authentication (MFA) for all administrative accounts to reduce the risk of session hijacking. Review and harden WordPress security configurations, including limiting plugin permissions and disabling unnecessary features. Monitor logs for unusual donation transactions or configuration changes. Educate users about the risks of visiting untrusted websites while logged into administrative accounts. Once available, promptly apply vendor patches or updates that address the CSRF vulnerability. Consider isolating donation management functions to dedicated, hardened environments or using alternative plugins with robust security controls. Regularly back up donation data to enable recovery in case of compromise.