CVE-2023-47550
📋 TL;DR
This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin 'Donations Made Easy – Smart Donations' that allows attackers to perform stored cross-site scripting (XSS) attacks. Attackers can trick authenticated administrators into executing malicious actions that inject harmful scripts into the website. This affects all WordPress sites using vulnerable versions of this plugin.
💻 Affected Systems
- RedNao Donations Made Easy – Smart Donations WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious JavaScript that steals administrator credentials, redirects users to phishing sites, or takes full control of the WordPress site.
Likely Case
Attackers inject malicious scripts that steal session cookies or perform unauthorized actions on behalf of authenticated users, potentially compromising donor data.
If Mitigated
With proper CSRF protections and input validation, the attack would fail or have minimal impact.
🎯 Exploit Status
Exploitation requires tricking an authenticated administrator into clicking a malicious link, but the technical complexity is low.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.13 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Donations Made Easy – Smart Donations'. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 4.0.13+ from WordPress.org and replace the plugin files.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate smart-donations
CSRF Protection Headers
linuxAdd CSRF protection headers to WordPress configuration
Add to .htaccess: Header set X-Frame-Options DENY
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'"
🧯 If You Can't Patch
- Disable the 'Donations Made Easy – Smart Donations' plugin immediately
- Implement web application firewall (WAF) rules to block CSRF and XSS patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Donations Made Easy – Smart Donations → Version numberCheck Version:
wp plugin get smart-donations --field=versionVerify Fix Applied:
Verify plugin version is 4.0.13 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with plugin-specific parameters
- Multiple failed CSRF token validations in WordPress logs
Network Indicators:
- Unexpected JavaScript injection in donation forms or admin pages
- Suspicious iframe or script tags in plugin-related HTTP responses
SIEM Query:
source="wordpress.log" AND ("smart-donations" OR "donations-made-easy") AND ("csrf" OR "xss" OR "script injection")🔗 References
- https://patchstack.com/database/vulnerability/smart-donations/wordpress-donations-made-easy-smart-donations-plugin-4-0-12-cross-site-scripting-xss-vulnerability-2?_s_id=cve
- https://patchstack.com/database/vulnerability/smart-donations/wordpress-donations-made-easy-smart-donations-plugin-4-0-12-cross-site-scripting-xss-vulnerability-2?_s_id=cve
