CVE-2024-13690: 
WordPress vulnerability analysis and mitigation

The WP Church Donation plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-13690) affecting all versions up to and including 1.7. The vulnerability was discovered and disclosed on March 24, 2025, with the plugin being temporarily closed on March 20, 2025 pending a full security review (NVD, WordPress Plugin).

The vulnerability exists due to insufficient input sanitization and output escaping in several donation form submission parameters. This results in a Stored Cross-Site Scripting (XSS) vulnerability, classified as CWE-79. The vulnerability has received a CVSS v3.1 score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N (Wordfence).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses an injected page. This could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected users' browsers (NVD).

The plugin has been temporarily closed and is not available for download as of March 20, 2025, pending a full security review. Users are advised to disable and remove the plugin until a patched version becomes available (WordPress Plugin).