CVE-2024-3594 in IDonate Plugin
Summary
by MITRE • 05/23/2024
The IDonate WordPress plugin through 1.9.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/28/2025
The IDonate WordPress plugin version 1.9.0 contains a critical security vulnerability classified as stored cross-site scripting that affects high-privilege users with administrative capabilities. This vulnerability stems from insufficient sanitization and escaping of user-provided input within the plugin's settings management functionality. The flaw specifically impacts environments where the unfiltered_html capability has been restricted, such as multisite WordPress installations, creating a dangerous attack vector for authenticated administrators who can leverage this weakness to execute malicious scripts within the context of other users' browsers.
The technical implementation of this vulnerability occurs when administrators configure plugin settings that contain unescaped HTML or JavaScript content. The plugin fails to properly validate and sanitize input data before storing it in the database, allowing malicious payloads to be persisted and subsequently executed whenever affected pages are loaded. This stored XSS vulnerability operates at the application layer and can be exploited by users with administrator privileges or roles that have been granted elevated permissions within the WordPress ecosystem. The vulnerability is particularly concerning because it bypasses standard WordPress security mechanisms that typically prevent unfiltered HTML input, even in restricted environments.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform a wide range of malicious activities including session hijacking, data exfiltration, and privilege escalation. An attacker with administrative access could inject malicious scripts that steal cookies, redirect users to phishing sites, or modify content displayed to other administrators. The vulnerability is especially dangerous in multisite configurations where administrators might believe they are operating within secure boundaries, but the stored XSS allows persistent malicious code execution across multiple sites within the network. This creates a potential for widespread compromise and data theft across the entire WordPress multisite environment.
Security mitigations for this vulnerability should focus on immediate patching of the IDonate plugin to version 1.9.1 or later, which contains the necessary sanitization and escaping mechanisms. Organizations should also implement additional monitoring of plugin settings modifications and conduct regular security audits of WordPress installations to identify similar vulnerabilities. The mitigation strategy should include restricting administrative privileges to only essential personnel and implementing web application firewalls that can detect and block suspicious script injections. From a compliance perspective, this vulnerability aligns with CWE-79 which addresses cross-site scripting flaws, and represents a significant concern under ATT&CK technique T1548.003 for privilege escalation through administrative access. Organizations should also consider implementing content security policies to add an additional layer of protection against script execution, while ensuring that all WordPress plugins undergo regular security assessments to prevent similar vulnerabilities from being introduced in the future.