CVE-2025-67550 identifies a Stored Cross-site Scripting (XSS) vulnerability in the rhewlif Donation Thermometer plugin, a tool commonly used to display fundraising progress on websites. The vulnerability stems from improper neutralization of user-supplied input during web page generation, which allows malicious actors to inject persistent scripts into pages viewed by other users. This stored XSS flaw affects all versions up to and including 2.2.6. The CVSS 3.1 base score is 6.5, indicating medium severity, with an attack vector of network (AV:N), low attack complexity (AC:L), requiring low privileges (PR:L), and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. The impact metrics indicate low confidentiality, integrity, and availability impacts individually, but combined they can lead to significant security issues such as session hijacking, defacement, or redirection to malicious sites. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be considered a credible threat. The plugin is typically used in web environments, often integrated into WordPress sites, making it accessible remotely. Attackers with low privileges can craft payloads that, when viewed by other users, execute in their browsers, potentially compromising user accounts or site integrity.

For European organizations, especially nonprofits, charities, and fundraising platforms using the rhewlif Donation Thermometer plugin, this vulnerability poses risks of unauthorized script execution leading to session hijacking, data theft, or website defacement. Such incidents can damage organizational reputation, erode donor trust, and lead to regulatory scrutiny under GDPR if personal data is compromised. The medium severity score reflects that while the vulnerability does not allow full system takeover, it can facilitate lateral attacks or phishing campaigns. Given the widespread use of WordPress and donation-related plugins in Europe, the threat surface is significant. Attackers could exploit this vulnerability to target high-profile fundraising campaigns or manipulate donation data, impacting financial integrity. Additionally, the requirement for user interaction means social engineering could be leveraged to increase attack success. The lack of known exploits in the wild provides a window for proactive defense, but organizations should not delay remediation.

Organizations should immediately inventory their web assets to identify installations of the rhewlif Donation Thermometer plugin and verify the version in use. Until an official patch is released, implement strict input validation and output encoding on all user-supplied data fields related to the plugin to prevent script injection. Employ Content Security Policies (CSP) to restrict the execution of unauthorized scripts and reduce the impact of potential XSS payloads. Regularly monitor web logs and user reports for suspicious activity indicative of XSS exploitation attempts. Educate site administrators and users about the risks of clicking on suspicious links or interacting with untrusted content. Once a patch or update is available from the vendor, apply it promptly. Additionally, consider deploying Web Application Firewalls (WAFs) with rules tuned to detect and block XSS attack patterns targeting this plugin. Conduct security testing and code reviews on custom integrations involving the plugin to ensure no additional vulnerabilities exist.