SQL injection in the Charitable WordPress plugin versions up to 1.8.8.4 allows authenticated users with Subscriber-level access to extract sensitive database information via the donation_ids parameter due to insufficient escaping and lack of prepared statements. The vulnerability requires a paid donation to exploit and affects the donation query processing logic. No public exploit code or active exploitation has been confirmed at the time of analysis, though the flaw is straightforward to weaponize given the low attack complexity and documented vulnerable code path.
Cross-Site Request Forgery in Advanced Database Cleaner plugin for WordPress (versions up to 3.1.6) allows unauthenticated attackers to modify the keep last setting through forged requests targeting the aDBc_prepare_elements_to_clean() function, provided a site administrator can be socially engineered into clicking a malicious link. The vulnerability stems from missing or incorrect nonce validation. While the CVSS score is moderate (4.3), exploitation requires user interaction (UI:R) and results in limited integrity impact (data modification rather than code execution or availability compromise). No public exploit code or active exploitation has been confirmed at time of analysis.