CVE-2025-58956 Overview
CVE-2025-58956 is a Cross-Site Request Forgery (CSRF) vulnerability in the loopus WP Attractive Donations System WordPress plugin (wp-attractive-donations-system-easy-stripe-paypal-donations). The flaw enables attackers to chain CSRF with Stored Cross-Site Scripting (XSS), persisting attacker-controlled JavaScript in the WordPress site after a privileged user is tricked into visiting a crafted page. The issue affects all plugin versions up to and including 1.29. The vulnerability is tracked under CWE-352: Cross-Site Request Forgery.
Critical Impact
An authenticated administrator visiting an attacker-controlled page can be forced to inject persistent JavaScript into the site, leading to session theft, account takeover, or further compromise of site visitors.
Affected Products
- loopus WP Attractive Donations System plugin for WordPress, versions up to and including 1.29
- WordPress sites accepting donations through the plugin's Stripe and PayPal integrations
- Administrator and editor sessions interacting with the plugin's settings interface
Discovery Timeline
- 2025-09-22 - CVE-2025-58956 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-58956
Vulnerability Analysis
The plugin's state-changing endpoints fail to validate CSRF tokens (WordPress nonces) before processing requests. An attacker hosts a page that submits a forged request to the vulnerable plugin endpoint. When a logged-in administrator visits this page, the browser automatically attaches authentication cookies, and WordPress processes the request as legitimate.
The forged request writes attacker-supplied input to plugin configuration or content fields. Because the plugin also fails to sanitize or encode that input before rendering it, the payload persists as Stored XSS. The combination converts a single victim click into durable JavaScript execution in any subsequent administrator or visitor session that loads the affected page.
Root Cause
The root cause is the absence of nonce verification using wp_verify_nonce() or check_admin_referer() on form-handler endpoints. Compounding the issue, output paths do not apply esc_html(), esc_attr(), or wp_kses() before rendering stored values, allowing arbitrary script content to execute in the browser context.
Attack Vector
Exploitation requires user interaction. The attacker delivers a malicious link or embedded resource through phishing, comment fields, or third-party sites. When a privileged user with an active WordPress session loads the resource, the browser issues the cross-site request. Successful exploitation produces stored script content executed under the victim site's origin, enabling cookie theft, administrative action forgery, and drive-by attacks against site visitors.
Refer to the Patchstack Vulnerability Report for additional technical context.
Detection Methods for CVE-2025-58956
Indicators of Compromise
- Unexpected <script> tags, event handlers, or external script sources stored in WP Attractive Donations System configuration fields or donation form content
- WordPress administrator accounts created or modified shortly after a known administrator browsing session
- Outbound requests from administrator browsers to unfamiliar domains immediately after loading plugin admin pages
- Plugin option rows in wp_options or related tables containing encoded JavaScript payloads
Detection Strategies
- Audit plugin database tables and wp_options entries for HTML or JavaScript content where only plain text is expected
- Review web server access logs for POST requests to plugin admin endpoints lacking a valid Referer header from the same origin
- Inspect WordPress audit logs for configuration changes to the donations plugin without corresponding administrator UI activity
- Compare current plugin settings against known-good baselines to surface unauthorized modifications
Monitoring Recommendations
- Enable a WordPress activity logging plugin to capture option changes, user creation, and plugin setting updates
- Forward web server and WordPress logs to a centralized SIEM for correlation of cross-origin requests with administrator sessions
- Alert on creation of new administrator accounts or modifications to user roles outside of change windows
How to Mitigate CVE-2025-58956
Immediate Actions Required
- Update WP Attractive Donations System to a version above 1.29 once a patched release is available from the vendor
- If no patch is available, deactivate and remove the plugin from production WordPress installations
- Force password resets and session invalidation for all administrator accounts that may have visited untrusted pages while authenticated
- Review plugin settings and stored donation form content for injected scripts and remove any unauthorized payloads
Patch Information
At the time of publication, the issue affects all versions up to and including 1.29. Monitor the Patchstack advisory and the plugin's WordPress.org page for a fixed release.
Workarounds
- Place the WordPress admin area behind a Web Application Firewall rule that enforces same-origin Referer and Origin headers on plugin endpoints
- Restrict /wp-admin/ access by source IP using web server or reverse proxy controls
- Require administrators to use a dedicated browser profile that does not visit untrusted sites during privileged sessions
- Apply a Content Security Policy that disallows inline scripts on administrative pages to limit Stored XSS execution
# Example nginx configuration restricting wp-admin to trusted IPs
location ^~ /wp-admin/ {
allow 203.0.113.0/24;
deny all;
try_files $uri $uri/ /index.php?$args;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
