Charitable Blog

Everything you need to know about Charitable and our team.

Release Notes: Charitable 1.6.51 Fixes a Critical Security Vulnerability

Last updated on

  • By
Eric Daams

Last Friday we released Charitable 1.6.51, which fixes a critical security vulnerability affecting any website using Charitable. While we are not aware of any exploits of the vulnerability, we are urging everyone to upgrade to Charitable 1.6.51 as soon as possible.

For those using Charitable Ambassadors, version 2.1.8 was released yesterday, providing additional security fixes and updating is highly recommended. Charitable Recurring Donations 1.2.9 also has a small fix today related to form validation.

A bit of background

Last week, Charitable user Asif Minhas reached out to us about a Cross Site Scripting vulnerability. This vulnerability was limited in its severity, as it could only be exploited by users with the Campaign Manager role. This vulnerability has also been fixed in Charitable 1.6.51.

In the process of investigating this, we discovered a much more serious Cross Site Scripting vulnerability that could be exploited by anonymous users. The vulnerability was found on Thursday afternoon and on Friday evening we released Charitable 1.6.51.

There are a number of changes in Charitable 1.6.51 that may affect some users, which we will cover in a little more detail below.

Campaign Managers and the unfiltered_html capability

Charitable 1.6.51 removes the unfiltered_html capability from the Campaign Manager role. This means that Campaign Managers will not be able to add certain HTML tags such as <iframe> and <embed>, as well as Javascript code.

While there can be good reasons for Campaign Managers to have this role, we determined that the default in Charitable should be for this capability to only be available to Administrators. (WordPress also makes this capability available to the Editor role, but Editors are not able to create or edit campaigns, so this does not affect Charitable).

If you would like to continue providing Campaign Managers with the unfiltered_html capability, this can be achieved by using one of the role capability editor plugins listed at https://wordpress.org/support/article/roles-and-capabilities/#plugins.

Quick aside: As mentioned above, Editors and Administrators both have the ability to add unfiltered_html. If you would like to disable this altogether, you can do so by adding the following line to your wp-config.php file:

define( 'DISALLOW_UNFILTERED_HTML', true );

Adding HTML to donation amount descriptions

Previously, when adding suggested donation amounts, it was possible to add HTML to the suggested donation amount descriptions. With Charitable 1.6.51, this will no longer be possible by default.

But if you really want to be able to add HTML to your suggested donation amount descriptions, you can re-enable this ability using the charitable_sanitize_suggested_amount_description filter, by simple adding the following to a custom plugin, your theme’s functions.php file, or with a plugin like Code Snippets:

add_filter( 'charitable_sanitize_suggested_amount_description', '__return_false' );

Is it safe to do this? That depends on your situation. If the only people creating campaigns on your website are Administrators, then this should be fine. However, if you have Campaign Managers creating campaigns as well, or if you are using Charitable Ambassadors and campaign creators can set suggested amounts for their campaigns, be aware that this does allow those users to add HTML to their amount descriptions as well.

That said, even if you do turn off sanitization of the suggested amount descriptions, Charitable still ensures that no unsafe HTML is added, such as Javascript code, by filtering the content using wp_kses_post.

A final word

We’re sorry to everyone using Charitable for this security vulnerability. We’re disappointed and frankly more than a little bit embarrassed by this. We will continue to do our absolute best to make sure that Charitable is a simple, secure way for you to accept donations on your website.

Thank you to Asif Minhas, who reported the vulnerability related to Campaign Managers, and Robert Rowley from WPScan who was also in touch regarding the Campaign Managers issue.

If you have any concerns about this release or would like a hand with anything else related to Charitable, get in touch with us! We’re always happy to help.

If you have found a security vulnerability and would like to report it, please email us at [email protected].

author avatar
Eric Daams
See Full Bio

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. We only recommend products that we believe will add value to our readers.

Leave a Reply

Your email address will not be published. Required fields are marked *

Get free tips and resources right in your inbox, along with 60,000+ others

Join our Newsletter

We won’t spam you. We only send an email when we think it will genuinely help you. Unsubscribe at any time!

Follow Us

Featured Video:

Watch more videos on our YouTube channel.

Popular Resources

Recurring Donations

Donor Management

Peer-to-Peer Fundraising

Integrations

Extensions

What's New In Charitable

View The Latest Updates
🔔 Subscribe to get our latest updates
📧 Subscribe to Emails

Email Subscription

Join our Newsletter

We won’t spam you. We only send an email when we think it will genuinely help you. Unsubscribe at any time!

Addon Donations Improvement

🎈Recurring Donations 2.0: Smarter Automation, Better Recovery, and More Control

We’ve completely rebuilt our Recurring Donations system to help you grow your reliable income stream while giving you (and your donors) more powerful tools than ever before.

What’s New:

🔒 Recurring-Only Campaigns: You can toggle “Recurring Only” mode in the campaign builder to hide the one-time option entirely, ensuring your supporters stay focused on long-term commitment.

📧 Automatic Payment Recovery: Our new Payment Failed Email fires automatically the moment a subscription fails.

🛠️ Self-Service Donor Control:The new Cancel Subscription Button appears directly in the donor dashboard, allowing supporters to pause or end their recurring gifts on their own terms—reducing your admin burden and payment disputes.

📊 Real-Time Revenue Insights: Track your growth, monitor active subscriptions, and see exactly how much predictable support is coming in each month at a glance.

Our new Recurring Donations addon gives you the professional-grade tools you need to grow your mission.

author avatar
Eric Daams
See Full Bio
Campaigns New

🧡 Modal Donate Button: Turn Any Click into a Contribution

Instead of redirecting users to a new URL, the lightweight Modal Donation Button allows donors to complete their gift in a sleek, focused popup, keeping them engaged with your content while they support your cause.

What’s New:

  • Zero-Friction Giving: Open your donation form in a responsive modal overlay. Donors stay on the same page, reducing drop-off.

  • 🖱️ Place it Anywhere: Use the dedicated WordPress block or a simple shortcode to drop a donate button into sidebars, footers, or even mid-sentence in your storytelling.

  • 🎨 Full Design Control: Match your brand perfectly with customizable background colors, hover effects, border radius, and font sizes—all without touching a single line of CSS.

Whether you need a simple “Donate Now” link or a high-converting popup button, the Modal Donate Button gives you the flexibility to raise more with less effort.

author avatar
Eric Daams
See Full Bio
donation form Donations New

💵 Mini Donation Widget: Show The Impact Of Every Dollar!

Not every donor who wants to give will navigate to your campaign page. Meet them exactly where they are by placing a fully functional giving experience directly on any page or post.

💬 Show the impact of every dollar: Attach custom messages to each preset amount so donors understand exactly what their gift provides.
🔄 Monthly and one-time giving: Supports a tabbed interface with independent amounts and impact statements for recurring giving programs.
🎨 Match your brand: Easily set accent colors and control size or alignment to fit the widget naturally into your layout without CSS.
⚡ Reduce donor friction: Open the donation form in a modal overlay to keep donors on the page and reduce drop-off.

author avatar
Eric Daams
See Full Bio
Donations Live New

👉🏻 Showcase Real Momentum with the Donations Feed

Give your donors a reason to trust. Our new feed lets you display a living, breathing record of people showing up for your cause.

🤝 Build instant trust: Overcome donor hesitation by showing a proven track record of community support.
💬 Highlight donor stories: Display real donor comments and locations to show the human side of your fundraising.
🛠️ Drop it anywhere: Easily add the block to your homepage, campaign pages, or confirmation screens in seconds.
📈 Curate your feed: Group multiple donations from the same person or sort by highest amounts to encourage larger gifts.

author avatar
Eric Daams
See Full Bio
Campaigns New

🎨 Campaign Showcase: Pro Level Display, No Coding Needed.

Display your causes with style and make it easier than ever for donors to find the right campaign. We are excited to announce the brand-new Campaign Showcase, a powerful, no-code tool designed to help you create beautiful, high-converting campaign grids and carousels.

The Ultimate Discovery Experience

Your mission deserves to be seen. With the Campaign Showcase, you can move beyond simple lists and create dynamic displays that highlight your most urgent needs, helping donors connect with the causes they care about most.

⚡ No-Code Customization: Effortlessly change layouts, columns, and styles with a single click. Whether you want a clean grid or an interactive carousel, you can match your organization’s look without any CSS or JavaScript.

🎯 Advanced Search & Filter: Empower your supporters with real-time filtering. Donors can quickly sort through campaigns by tags, popularity, or “ending soon,” making it easy to find exactly where their help is needed.

💰 Quick Donate Integration: Boost your conversions with instant giving. The Showcase allows donors to contribute via a modal popup directly from the display, featuring pre-selected amounts for a faster, friction-free experience.

author avatar
Eric Daams
See Full Bio
View All Announcements