Charitable Blog

Everything you need to know about Charitable and our team.

Release Notes: Charitable 1.6.51 Fixes a Critical Security Vulnerability

Last updated on

  • By
Eric Daams

Last Friday we released Charitable 1.6.51, which fixes a critical security vulnerability affecting any website using Charitable. While we are not aware of any exploits of the vulnerability, we are urging everyone to upgrade to Charitable 1.6.51 as soon as possible.

For those using Charitable Ambassadors, version 2.1.8 was released yesterday, providing additional security fixes and updating is highly recommended. Charitable Recurring Donations 1.2.9 also has a small fix today related to form validation.

A bit of background

Last week, Charitable user Asif Minhas reached out to us about a Cross Site Scripting vulnerability. This vulnerability was limited in its severity, as it could only be exploited by users with the Campaign Manager role. This vulnerability has also been fixed in Charitable 1.6.51.

In the process of investigating this, we discovered a much more serious Cross Site Scripting vulnerability that could be exploited by anonymous users. The vulnerability was found on Thursday afternoon and on Friday evening we released Charitable 1.6.51.

There are a number of changes in Charitable 1.6.51 that may affect some users, which we will cover in a little more detail below.

Campaign Managers and the unfiltered_html capability

Charitable 1.6.51 removes the unfiltered_html capability from the Campaign Manager role. This means that Campaign Managers will not be able to add certain HTML tags such as <iframe> and <embed>, as well as Javascript code.

While there can be good reasons for Campaign Managers to have this role, we determined that the default in Charitable should be for this capability to only be available to Administrators. (WordPress also makes this capability available to the Editor role, but Editors are not able to create or edit campaigns, so this does not affect Charitable).

If you would like to continue providing Campaign Managers with the unfiltered_html capability, this can be achieved by using one of the role capability editor plugins listed at https://wordpress.org/support/article/roles-and-capabilities/#plugins.

Quick aside: As mentioned above, Editors and Administrators both have the ability to add unfiltered_html. If you would like to disable this altogether, you can do so by adding the following line to your wp-config.php file:

define( 'DISALLOW_UNFILTERED_HTML', true );

Adding HTML to donation amount descriptions

Previously, when adding suggested donation amounts, it was possible to add HTML to the suggested donation amount descriptions. With Charitable 1.6.51, this will no longer be possible by default.

But if you really want to be able to add HTML to your suggested donation amount descriptions, you can re-enable this ability using the charitable_sanitize_suggested_amount_description filter, by simple adding the following to a custom plugin, your theme’s functions.php file, or with a plugin like Code Snippets:

add_filter( 'charitable_sanitize_suggested_amount_description', '__return_false' );

Is it safe to do this? That depends on your situation. If the only people creating campaigns on your website are Administrators, then this should be fine. However, if you have Campaign Managers creating campaigns as well, or if you are using Charitable Ambassadors and campaign creators can set suggested amounts for their campaigns, be aware that this does allow those users to add HTML to their amount descriptions as well.

That said, even if you do turn off sanitization of the suggested amount descriptions, Charitable still ensures that no unsafe HTML is added, such as Javascript code, by filtering the content using wp_kses_post.

A final word

We’re sorry to everyone using Charitable for this security vulnerability. We’re disappointed and frankly more than a little bit embarrassed by this. We will continue to do our absolute best to make sure that Charitable is a simple, secure way for you to accept donations on your website.

Thank you to Asif Minhas, who reported the vulnerability related to Campaign Managers, and Robert Rowley from WPScan who was also in touch regarding the Campaign Managers issue.

If you have any concerns about this release or would like a hand with anything else related to Charitable, get in touch with us! We’re always happy to help.

If you have found a security vulnerability and would like to report it, please email us at [email protected].

author avatar
Eric Daams
See Full Bio

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. We only recommend products that we believe will add value to our readers.

Leave a Reply

Your email address will not be published. Required fields are marked *

Get free tips and resources right in your inbox, along with 60,000+ others

Join our Newsletter

We won’t spam you. We only send an email when we think it will genuinely help you. Unsubscribe at any time!

Follow Us

Featured Video:

Watch more videos on our YouTube channel.

Popular Resources

Recurring Donations

Donor Management

Peer-to-Peer Fundraising

Integrations

Extensions

What's New In Charitable

View The Latest Updates
🔔 Subscribe to get our latest updates
📧 Subscribe to Emails

Email Subscription

Join our Newsletter

We won’t spam you. We only send an email when we think it will genuinely help you. Unsubscribe at any time!

GiveWP Migrations New

White Glove Migration Service for GiveWP

Thinking about switching your fundraising platform from GiveWP to Charitable, but don’t want to risk losing your data or handle a complex technical setup yourself? Charitable’s White Glove Migration Service features:

👥 Flawless Donor Mapping: Safely transfer your entire supporter database with zero data loss.

📊 Complete Financial History: Meticulously preserve every historical transaction for continuous, accurate reporting.

🔄 Seamless Recurring Giving: Safely transfer active sustaining subscriptions without disrupting your incoming revenue or requiring your donors to update their information.

💳 Zero Gateway Disruptions: Keep using Stripe, PayPal, or any other GiveWP-compatible processor you already love.

🚀 Expert Technical Setup: Relax while our team handles the heavy lifting to install and configure your forms—plus, qualifying users get a full year of Charitable Pro completely free.

Visit this page to learn more.

author avatar
Eric Daams
See Full Bio
automation Improvement

📢 New Feature Alert: Automation Connect 2.0 Is Here! 🚀

Thinking about connecting your fundraising data to tools like Mailchimp, Slack, or Google Sheets, but don’t want to hire a developer or write custom code? Charitalbe’s new automation addon has:

⚡ 17 Event Triggers: Instantly fire webhooks for a donor’s first gift, renewal payments, or reached campaign milestones.

🎯 Smart Conditional Logic: Use powerful AND/OR logic across 11 fields to only send data when it meets your exact criteria, like newsletter opt-ins.

📊 Custom Payload Control: Select from 80+ clean data fields across donor, donation, and campaign metadata so your apps get exactly what they need.

🚀 Pre-Built Platform Templates: Skip the setup from scratch with ready-to-go templates for Zapier, Make.com, n8n, HubSpot, and Slack.

🛡️ Reliable Developer Tools: Power your workflows with signed HMAC-SHA256 payloads, complete WordPress filters, and automatic retry logs.

author avatar
Eric Daams
See Full Bio
automation Improvement

🔌 Charitable Meets Zapier: Connect to 7,000+ Apps and Automate Your Fundraising

Tired of manually copying donation data into accounting sheets or tracking down new donor signups? Put your administrative tasks on autopilot. Charitable is now officially on Zapier, giving you a powerful, no-code way to plug your fundraising directly into the rest of your favorite tools.

Every donation, donor signup, and campaign milestone can now trigger an automated workflow seamlessly.

What’s New:

♾️ Connect to 7,000+ Apps: Bridge your Charitable campaigns with everyday software like Google Sheets, QuickBooks, Slack, Mailchimp, HubSpot, Notion, Airtable, and thousands more.

⚡ 12 Powerful Triggers: Build deep workflows using smart automation triggers covering the entire donation lifecycle—including New Donation, New Donor, Subscription Cancelled, and Campaign Goal Reached.

📋 Pre-Built Action Templates: Get started in three minutes or less with our pre-made template combinations, like automatically logging new donations straight into a Google Sheet or firing custom donor welcome emails through Gmail.

🚫 Zero Code Needed: No complex webhooks or custom PHP scripts required. Just pick your trigger, choose your app, map your fields, and let Zapier handle the heavy lifting.

Ready to save hours of admin time? Grab Charitable Pro with the Automation Connect addon today and launch your first Zap!

author avatar
Eric Daams
See Full Bio
Improvement Payments

🚀 Introducing PayPal Commerce: One Connection, Six Ways to Donate

Donors expect modern, flexible payment options when they support a cause. If they don’t see their preferred method on your donation form, they often disappear without a word. With PayPal Commerce, we are bringing a completely modernized checkout experience right to your campaigns.

Enjoy a single integration that upgrades your forms, makes giving seamless, and helps you capture every single donation.

What’s New:

🔌 One-Click Connection: Skip messy API keys and developer docs. Simply click “Connect with PayPal,” sign in to your business account, and your modern form is live in under five minutes.

💳 Six Ways to Give: Give your supporters instant access to PayPal balance, Venmo (US), Pay Later financing, major credit/debit cards, Apple Pay (Safari), and Google Pay (Chrome) all from the exact same form.

🔄 Flexible Recurring Giving: Fully supports monthly giving. Choose between the PayPal Subscriptions API (handled automatically on PayPal’s end) or Vault + Cron (handled securely right on your site).

💬 Friendly Error Recovery: No more confusing browser alerts. If a payment is declined, donors see plain-language, inline messages that guide them on how to fix the issue and complete their gift.

Ready for PayPal, modernized? Update to Charitable Pro 1.8.15+ (or Charitable Lite 1.8.11+) and connect your account today!

author avatar
Eric Daams
See Full Bio
Campaigns New

⏳ Campaign Countdown: Drive Urgency and Lift Donations

Urgency is one of the most powerful tools in fundraising! Meet Campaign Countdown—a live, real-time timer built to turn procrastination into immediate generosity.

campaign_countdown_animation

What’s New:

⏱️ Live, Real-Time Urgency: Beautifully track days, hours, minutes, and seconds down to your campaign’s deadline w/ live-updating visual countdowns.

🎨 Tailored to Your Look: Choose between Boxed bordered tiles or a clean, single-line Inline display. Match your theme instantly with font and deep color controls.

🛠️ Place it Anywhere: Drop the countdown anywhere you like using the Campaign Builder field, a dedicated Gutenberg block, or a simple shortcode.

🚨 Smart Expiry Actions: Total control over the end state—choose to automatically replace the timer with a custom message, freeze it at zero, and more.

author avatar
Eric Daams
See Full Bio
View All Announcements