CVE-2024-13690 HIGH

CVE-2024-13690: WP Church Donation <= 1.7 - Unauthenticated Stored Cross-Site Scripting

Vendor Ashishajani
Product WP Church Donation
Weakness CWE-79 · XSS
Published March 25, 2025
Last update April 8, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The WP Church Donation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several donation form submission parameters in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Explanation of Vulnerability in Simple Terms

02Summary

WP Church Donation versions 1.7 and earlier contain a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into the site without authentication. The vulnerability affects the plugin's handling of user input, enabling attackers to execute JavaScript in visitors' browsers. This can lead to session hijacking, credential theft, or malware distribution to site users.

What an attacker can do

03Attacker Capabilities

Inject and execute malicious JavaScript code that runs in visitors' browsers when they view affected pages.

Potential impact on your site

04Site Impact

Visitors' sessions and credentials can be compromised; malware or phishing content can be injected into your site without your knowledge.

Conditions required to exploit

05Prerequisites

No authentication or user interaction required; attacker can exploit this remotely by crafting a malicious URL or embedding code in the site.

Key dates

06Disclosure timeline

March 25, 2025 CVE published
April 8, 2026 Record updated