Does Donation Thermometer have any unpatched vulnerabilities?

No. All known vulnerabilities in Donation Thermometer have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Donation Thermometer compatible with WordPress 6.8.5?

According to WordPress.org data, Donation Thermometer 2.2.7 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Donation Thermometer compatible with PHP 5.2+?

Donation Thermometer requires PHP 5.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Donation Thermometer updated?

Donation Thermometer was last updated on Nov 20, 2025. Frequent updates are generally a positive security signal.

What is Donation Thermometer's security score?

Donation Thermometer has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Donation Thermometer Security & Risk Analysis

wordpress.org/plugins/donation-thermometer

Displays a fully customisable thermometer for tracking donations or any other goal.

2K active installs v2.2.7 PHP 5.2+ WP 4.6+ Updated Nov 20, 2025

donatedonationfundraisingthermometertracker

A · Safe

CVEs total2

Unpatched0

Last CVENov 26, 2025

Plugin page Download

Safety Verdict

Is Donation Thermometer Safe to Use in 2026?

Generally Safe

Score 98/100

Donation Thermometer has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Nov 26, 2025Updated 4mo ago

Risk Assessment

The "donation-thermometer" plugin, version 2.2.7, exhibits a mixed security posture. On the positive side, static analysis indicates a generally secure implementation with no identified dangerous functions, raw SQL queries, file operations, or external HTTP requests. All observed SQL queries utilize prepared statements, which is a strong practice. However, a significant concern arises from the output escaping, where only 58% of outputs are properly escaped. This suggests a potential for Cross-Site Scripting (XSS) vulnerabilities, especially considering the plugin's vulnerability history which includes two past medium-severity XSS issues.

The plugin has a relatively small attack surface consisting solely of shortcodes, and importantly, all entry points appear to be protected from unauthorized access as there are no unprotected AJAX handlers or REST API routes. The absence of critical or high-severity taint flows further reinforces the idea that direct code execution or critical data leakage is unlikely from the analyzed code. However, the vulnerability history, particularly the prevalence of XSS and the fact that the last vulnerability was in the future (2025-11-26), warrants careful consideration. While there are no currently unpatched CVEs, the pattern of past XSS vulnerabilities combined with insufficient output escaping indicates a persistent risk that requires ongoing attention.

In conclusion, the plugin demonstrates good practices in areas like SQL query handling and avoiding common attack vectors. The lack of unprotected entry points is also a strength. Nevertheless, the substantial proportion of improperly escaped outputs and the history of XSS vulnerabilities are significant weaknesses that elevate the overall risk. Users should be aware of the potential for XSS, and developers should prioritize addressing the output escaping issues.

Key Concerns

Insufficient output escaping (58%)
History of 2 medium XSS vulnerabilities
No nonce checks implemented
No capability checks implemented

Vulnerabilities

Donation Thermometer Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-67550medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Donation Thermometer <= 2.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Nov 26, 2025 Patched in 2.2.7 (15d)

CVE-2022-3128medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Donation Thermometer <= 2.1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Sep 7, 2022 Patched in 2.1.3 (503d)

Code Analysis

Analyzed Mar 16, 2026

Donation Thermometer Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

198

277 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

58% escaped475 total outputs

Attack Surface

Donation Thermometer Attack Surface

Entry Points4

Unprotected0

Shortcodes 4

[thermometer] includes\therm_shortcode.php:309

[therm_r] includes\therm_shortcode.php:315

[therm_t] includes\therm_shortcode.php:358

[therm_%] includes\therm_shortcode.php:397

WordPress Hooks 13

actionadmin_initdonation_therm.php:37

actionadmin_menudonation_therm.php:38

actionwp_dashboard_setupdonation_therm.php:39

filterplugin_row_metadonation_therm.php:58

actionadmin_initdonation_therm.php:121

actionadmin_initdonation_therm.php:125

actionadmin_initdonation_therm.php:153

filterwidget_textdonation_therm.php:187

actionadmin_initdonation_therm.php:205

filteradmin_footer_textdonation_therm.php:229

filteradmin_footer_textdonation_therm.php:238

filteradmin_footer_textdonation_therm.php:244

filteradmin_footer_textdonation_therm.php:249

Maintenance & Trust

Donation Thermometer Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedNov 20, 2025

PHP min version5.2

Downloads97K

Community Trust

Rating88/100

Number of ratings12

Active installs2K

Alternatives

Donation Thermometer Alternatives

Fundraising Thermometer by CouponBirds

fundraising-thermometer-by-couponbirds

Thousands of online campaigns are using this gauge. It is the No.1 rating giving thermometer WordPress plugin. And it is Totally FREE!

400 No CVEs

GiveWP – Donation Plugin and Fundraising Platform

give

Accept donations and begin fundraising with GiveWP, the highest rated WordPress donation plugin for online giving.

100K 69 CVEs

Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More

charitable

The best WordPress donation plugin. Create fundraising donation forms, accept recurring donations, easy donor management, add crowdfunding, and more.

10K 14 CVEs

Potent Donations for WooCommerce

donations-for-woocommerce

Easily accept donations of varying amounts through your WooCommerce store.

2K 1 CVE

WhyDonate – FREE Donate button – Crowdfunding – Fundraising

wp-whydonate

FREE Donation button for your website. Collect donations via Credit card, PayPal, VISA, iDeal, Sofort and Bancontact. Set up in minutes and safe!

800 3 CVEs

Developer Profile

Donation Thermometer Developer Profile

rhewlif

2 plugins · 2K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

259 days

View full developer profile

Detection Fingerprints

How We Detect Donation Thermometer

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/donation-thermometer/css/thermometer.css/wp-content/plugins/donation-thermometer/js/thermometer.js/wp-content/plugins/donation-thermometer/js/thermometer_dashboard.js/wp-content/plugins/donation-thermometer/js/thermometer_front.js

Version Parameters

donation-thermometer/css/thermometer.css?ver=donation-thermometer/js/thermometer.js?ver=donation-thermometer/js/thermometer_dashboard.js?ver=donation-thermometer/js/thermometer_front.js?ver=

HTML / DOM Fingerprints

CSS Classes

thermometer-containerdonation-thermometer-widget-titledonation-thermometer-text

HTML Comments

+6 more

Data Attributes

data-raiseddata-targetdata-orientationdata-shadowdata-filltypedata-currency+28 more

JS Globals

thermometer_script_vars

Shortcode Output

<svg class="thermometer-svg"<div class="thermometer-container"

FAQ