CVE-2024-3594 - Stored XSS Vulnerability in IDonate WordPress Plugin (<= 1.9.) Explained

---

WordPress plugins are one of the best things about using WordPress, but sometimes they create security issues. CVE-2024-3594 is a new security flaw affecting the IDonate plugin up to version 1.9.. If you use this plugin, you should know about this vulnerability and how to stay safe.

What is CVE-2024-3594?

CVE-2024-3594 is a stored cross-site scripting (XSS) vulnerability in the IDonate plugin for WordPress. This means a hacker who has high-level access (like another site admin) could inject malicious code into your website—even if your site blocks unfiltered HTML (for example, in a multisite network).

The issue is caused because IDonate doesn’t properly sanitize or “escape” its settings inputs when an admin saves them. As a result, dangerous JavaScript code can be saved and run later for other users.

Why is This Serious?

- Stored XSS is persistent. Once a bad script is saved, it triggers whenever someone views the infected part of your site (like the admin dashboard).
- This is especially dangerous in multisite setups, where admins might NOT have the unfiltered_html permission, but still could inject scripts due to the bug.
- An attacker could use this to steal admin cookies, redirect site visitors, or even take over user accounts.

Let’s walk through a simple attack scenario

1. A site administrator (or someone with similar high privileges) edits a donation campaign or changes plugin settings.
2. They insert JavaScript code in one of the vulnerable fields, like the campaign name or thank-you message.

Because the plugin doesn’t sanitize the input, the script is stored in the database.

4. Later, when any admin or staff visits the settings page or the donation listing in the dashboard, the malicious script runs in their browser.

Here’s a simple code example of a payload an attacker might use

<script>alert('XSS in IDonate!');</script>

When this payload is saved in a plugin field (for instance, a campaign title) and then someone views that campaign in the WordPress dashboard, their browser pops up the message. Hackers can replace this with much more dangerous JavaScript.

Below is a snippet showing what a vulnerable code section in the plugin might look like

<?php
$thankyou_message = get_option('idonate_thankyou_message');
echo $thankyou_message; // BAD: output is not escaped
?>

FIX: Always escape output using proper WordPress functions.

<?php
$thankyou_message = get_option('idonate_thankyou_message');
echo esc_html($thankyou_message); // GOOD: escapes HTML
?>

Vulnerable versions: IDonate plugin version 1.9. and earlier

- Vulnerable settings: Any text field that is not sanitized or escaped (e.g. campaign name, thank-you message)

Attack vector: Valid admin user (or someone with high privilege, but without unfiltered_html)

- Type: Stored/persistent XSS

What Should You Do?

- Update immediately: Check for an updated version of IDonate. IDonate on WordPress.org
- Sanitize manually: If you can’t update or need a quick patch, sanitize your plugin settings in the database.

Limit high-level access: Only give admin access to trusted users.

- Check for payloads: Look at the plugin’s settings for suspicious code, like <script> or onerror=.

More Info and References

- CVE Record: CVE-2024-3594
- IDonate Plugin at WP.org
- Wordfence Blog (WAF Protection)
- Cross Site Scripting (XSS) Overview

TL;DR

CVE-2024-3594 is a dangerous XSS flaw in the IDonate plugin <= 1.9.. Even without unfiltered HTML, admins can inject malicious scripts that execute for other users. Update your plugin, check your site, and be careful who gets admin access.

Timeline

Published on: 05/23/2024 06:15:10 UTC
Last modified on: 03/20/2025 19:15:29 UTC