CVE-2025-67550 is a Stored Cross-Site Scripting (XSS) vulnerability found in the rhewlif Donation Thermometer plugin, affecting versions up to and including 2.2.6. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be stored persistently within the application. When other users access the affected pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, theft of sensitive information such as cookies or credentials, or unauthorized actions performed with the victim's privileges. The vulnerability is classified as a Stored XSS, which is generally more dangerous than reflected XSS due to its persistent nature. No CVSS score has been assigned yet, and no patches or official fixes have been released as of the publication date (December 9, 2025). There are also no known exploits reported in the wild, indicating that active exploitation has not been observed. The plugin Donation Thermometer is commonly used by organizations to visually display donation progress on websites, often in the nonprofit sector. The vulnerability could be exploited by attackers submitting crafted inputs through donation forms or other input fields that are not properly sanitized or encoded before rendering. This can compromise the confidentiality and integrity of user sessions and data. The lack of immediate patches necessitates interim mitigation strategies such as input validation, output encoding, and deploying web application firewalls (WAFs) to detect and block malicious payloads. Monitoring logs for suspicious activity is also recommended. The vulnerability's impact is significant given the potential for widespread exploitation on websites using this plugin.

For European organizations, especially nonprofits and charities that rely on the Donation Thermometer plugin to display fundraising progress, this vulnerability poses a significant risk. Exploitation could lead to compromise of user accounts, theft of donor information, and damage to organizational reputation. The persistent nature of stored XSS means that once malicious scripts are injected, they can affect all visitors to the compromised pages, amplifying the impact. This could result in loss of donor trust and potential legal liabilities under GDPR due to exposure of personal data. Additionally, attackers could use the vulnerability as a foothold to conduct further attacks such as phishing or spreading malware. The disruption could affect the availability of donation tracking features, impacting fundraising efforts. Given the critical role of online presence for European nonprofits, the threat could have financial and operational consequences.

1. Immediately audit and sanitize all user inputs in the Donation Thermometer plugin, ensuring proper input validation and output encoding to neutralize malicious scripts. 2. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected web pages. 3. Deploy a Web Application Firewall (WAF) configured to detect and block common XSS attack patterns targeting the plugin. 4. Monitor web server and application logs for unusual input patterns or repeated suspicious requests that may indicate exploitation attempts. 5. Restrict permissions on input fields to trusted users where possible, minimizing exposure to untrusted input. 6. Once available, promptly apply official patches or updates released by the vendor addressing this vulnerability. 7. Educate web administrators and developers about secure coding practices related to input handling and output encoding. 8. Consider temporary removal or disabling of the Donation Thermometer plugin if mitigation is not feasible until a patch is available.