Donor creation is vulnerable to stored XSS originating from donor creation due to missing sanitization on user input.
directory notesfield, eg.
<img src=x onerror="alert('dir notes')" />
Cross-site Scripting (XSS) is an attack vector that allows arbitrary code execution on a vulnerable page, which may lead to more severe impact such as session theft, data theft, phishing and malicious/unintended processing on the client-side. Stored XSS is a persistent vector and can deliver higher impact than reflected payloads.