{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12020", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-21T14:29:21.488Z", "datePublished": "2025-11-11T03:30:41.188Z", "dateUpdated": "2026-04-08T16:57:24.802Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:24.802Z"}, "affected": [{"vendor": "kanwei_doublethedonation", "product": "Double the Donation \u2013 A workplace giving tool", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Double the Donation \u2013 A workplace giving tool to help your fundraising efforts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "Double the Donation <= 3.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/63ba2d29-26dc-4c5f-9d9d-9a13e25c44b9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/double-the-donation/tags/2.0.0/doublethedonation.php#L59"}, {"url": "https://plugins.trac.wordpress.org/browser/double-the-donation/tags/2.0.0/doublethedonation.php#L79"}, {"url": "https://plugins.trac.wordpress.org/changeset/3393231/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kathleen Walsh"}, {"lang": "en", "type": "finder", "value": "ZAST.AI"}], "timeline": [{"time": "2025-11-10T15:02:07.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-12T15:41:59.457695Z", "id": "CVE-2025-12020", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T20:06:16.441Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12020", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-12T15:41:59.457695Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T15:42:03.603Z"}}], "cna": {"title": "Double the Donation <= 3.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Kathleen Walsh"}, {"lang": "en", "type": "finder", "value": "ZAST.AI"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "kanwei_doublethedonation", "product": "Double the Donation \u2013 A workplace giving tool", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-10T15:02:07.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/63ba2d29-26dc-4c5f-9d9d-9a13e25c44b9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/double-the-donation/tags/2.0.0/doublethedonation.php#L59"}, {"url": "https://plugins.trac.wordpress.org/browser/double-the-donation/tags/2.0.0/doublethedonation.php#L79"}, {"url": "https://plugins.trac.wordpress.org/changeset/3393231/"}], "descriptions": [{"lang": "en", "value": "The Double the Donation \u2013 A workplace giving tool to help your fundraising efforts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:24.802Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12020", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:57:24.802Z", "dateReserved": "2025-10-21T14:29:21.488Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-11T03:30:41.188Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Double the Donation \u2013 A workplace giving tool to help your fundraising efforts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "id": "CVE-2025-12020", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-11T04:15:45.970", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/double-the-donation/tags/2.0.0/doublethedonation.php#L59"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/double-the-donation/tags/2.0.0/doublethedonation.php#L79"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3393231/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/63ba2d29-26dc-4c5f-9d9d-9a13e25c44b9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T12:26:18.446001+00:00", "value": {"mitigation_remediation": ["Upgrade the Double the Donation plugin to version 3.1 or later, which contains the input sanitization and output escaping fix.", "If an update is not available, remove or disable the plugin on all sites where it is not essential, and restrict configuration changes to a single super\u2011administrator account to minimize the opportunity for malicious input.", "Implement a site\u2011wide Content Security Policy that blocks inline script execution and whitelists only trusted sources, reducing the impact of any residual injected content."], "summary": {"action": "Apply patch", "impact": "Stored cross\u2011site scripting for authenticated administrators"}, "threat_synthesis": {"affected_systems": "All releases of Double the Donation up to and including version 3.0.0 are affected when the plugin is installed on a multisite WordPress network and the site configuration has unfiltered_html disabled. The issue persists across WordPress versions and any network that grants administrators the capability to edit the plugin settings through the dashboard.", "description_and_impact": "The Double the Donation \u2013 A workplace giving tool plugin for WordPress contains an insecure admin settings page that stores user input without proper sanitization or output escaping. When a user with administrator\u2011level permissions or higher modifies these settings, arbitrary JavaScript can be written to the database and rendered on any page that loads the injected content. The injected script runs in the context of visitors, potentially allowing session hijacking, data theft, or defacement. The vulnerability is an example of CWE\u201179, classic stored cross\u2011site scripting.", "risk_and_exploitability": "The CVSS score of 4.9 places the flaw in the moderate severity range, while the EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog, further suggesting limited active exploitation. The attack path requires the attacker to be a logged\u2011in administrator or higher, which narrows the threat surface to privileged accounts. Nonetheless, because the payload executes in users\u2019 browsers, any compromise of an administrator account could impact the entire multisite network. "}}}}, "created": "2025-11-12T12:47:44.062385+00:00", "updated": "2026-04-22T12:30:16.835029+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}