CVE-2025-47520: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in Syed Balkhi's Charitable WordPress plugin affecting versions through 1.8.5.1. The vulnerability was reported on April 10, 2025, and publicly disclosed on May 7, 2025. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has been assigned a CVSS v3.1 base score of 5.9 (Medium) (Wiz, NVD).

The vulnerability is characterized by improper neutralization of input during web page generation, allowing for stored XSS attacks. The attack vector is network-based (AV:N), with low attack complexity (AC:L), requires high privileges (PR:H), user interaction (UI:R), and has a changed scope (S:C) with low impact on confidentiality, integrity, and availability (NVD, Patchstack).

If exploited, this vulnerability could allow an authenticated attacker with administrative privileges to inject malicious scripts into the website. These scripts could be used to create redirects, insert unwanted advertisements, or execute other malicious HTML payloads that would affect visitors to the affected website (Wiz, Patchstack).

The vulnerability has been patched in version 1.8.5.2 of the Charitable plugin. Users are advised to update to this version or later to remove the vulnerability (Wiz, Patchstack).