CVE-2025-58999 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin 'WP Attractive Donations System - Easy Stripe & Paypal donations' developed by loopus. This plugin facilitates donation processing via Stripe and PayPal on WordPress sites. The vulnerability exists in versions up to and including 1.25, allowing attackers to craft malicious web requests that, when executed by an authenticated user, can perform unauthorized actions within the plugin. CSRF attacks exploit the trust a web application places in the user's browser by leveraging the user's authenticated session to execute state-changing requests without their knowledge or consent. In this case, an attacker could potentially manipulate donation settings or trigger donation-related transactions. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) indicates that the attack can be performed remotely over the network with low attack complexity, requires no privileges, but does require user interaction (such as clicking a link). The impact is limited to integrity, with no direct confidentiality or availability effects. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed proactively. The plugin’s role in handling financial transactions via Stripe and PayPal makes integrity compromises potentially impactful, as unauthorized changes could lead to financial discrepancies or fraud. The vulnerability highlights the importance of implementing anti-CSRF protections such as nonce tokens and validating request origins in WordPress plugins handling sensitive operations.

For European organizations using the affected WordPress plugin, the primary impact is on the integrity of donation processing workflows. An attacker exploiting this CSRF vulnerability could manipulate donation parameters, potentially redirecting funds, altering amounts, or changing payment configurations without authorization. This could lead to financial losses, donor mistrust, and reputational damage, especially for nonprofits and charities relying on online donations. Since the vulnerability does not affect confidentiality or availability directly, data breaches or service outages are less likely. However, the financial and reputational consequences of manipulated donations can be significant. Organizations in Europe with active fundraising campaigns or donation portals using this plugin are at risk. Additionally, regulatory compliance under GDPR may be impacted if donor trust is compromised or if financial irregularities arise. The requirement for user interaction means phishing or social engineering could be used to induce victims to trigger the malicious requests. The lack of known exploits in the wild suggests a window for mitigation before widespread attacks occur.

1. Monitor for and apply plugin updates from the vendor as soon as they become available to address this CSRF vulnerability. 2. Implement web application firewall (WAF) rules to detect and block suspicious cross-site requests targeting donation-related endpoints. 3. Restrict administrative access to the plugin’s configuration pages to trusted users only and enforce strong authentication mechanisms. 4. Add or verify the presence of anti-CSRF tokens (nonces) in all state-changing requests within the plugin’s codebase if custom development is possible. 5. Educate users and administrators about phishing risks and the importance of not clicking suspicious links while authenticated to WordPress sites. 6. Regularly audit donation transactions and configurations for unauthorized changes or anomalies. 7. Consider isolating donation processing on dedicated subdomains or separate WordPress instances to reduce attack surface. 8. Employ Content Security Policy (CSP) headers to limit the ability of attackers to execute malicious scripts that could facilitate CSRF attacks. 9. Review and harden WordPress security settings, including limiting plugin installation and updates to trusted personnel. 10. Engage with the plugin vendor or security community to track patch releases and vulnerability disclosures.