CVE-2022-1396

CVE-2022-1396: Donorbox < 7.1.7 - Admin+ Stored Cross-Site Scripting

Vendor Unknown

Product Donorbox – Free Recurring Donation Form

Weakness CWE-79 · XSS

Published April 25, 2022

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The Donorbox WordPress plugin before 7.1.7 does not sanitise and escape its Campaign URL settings before outputting it in an attribute, leading to a Stored Cross-Site Scripting issue even when the unfiltered_html capability is disallowed

Key dates

02Disclosure timeline

April 25, 2022 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-1396 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-9344 BerqWP – Automated All-In-One PageSpeed Optimization Plugin for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript <= 2.1.1 - Reflected Cross-Site Scripting CVE-2025-31017 WordPress Nav Menu Manager plugin <= 3.2.5 - Cross Site Scripting (XSS) Vulnerability CVE-2025-24634 WordPress Orbisius Simple Notice plugin <= 1.1.3 - Cross Site Scripting (XSS) vulnerability CVE-2024-43994 WordPress Kahuna theme <= 1.7.0 - Cross Site Scripting (XSS) vulnerability CVE-2025-31624 WordPress Processing Projects plugin <= 1.0.2 - Cross Site Scripting (XSS) vulnerability