CVE-2024-10876: 
WordPress vulnerability analysis and mitigation

The Charitable – Donation Plugin for WordPress (versions up to 1.8.3) contains a Reflected Cross-Site Scripting vulnerability due to improper URL escaping in the addqueryarg & removequeryarg functions. This vulnerability was discovered and reported on November 9, 2024 (NVD CVE).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 6.1 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability stems from insufficient escaping of URL parameters in the plugin's donation list table functionality (WordPress Plugin).

When exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on malicious links. The impact is limited to client-side attacks that could potentially compromise user sessions or steal sensitive information (Wordfence Intel).

The vulnerability has been addressed in the plugin's codebase through proper URL parameter escaping, as evidenced by the changes in the WordPress plugin repository (Plugin Changes). Users should update to a version newer than 1.8.3 to protect against this vulnerability.