Skip to main content
CVE-2025-11893 MEDIUM This Month

SQL injection in the Charitable WordPress plugin versions up to 1.8.8.4 allows authenticated users with Subscriber-level access to extract sensitive database information via the donation_ids parameter due to insufficient escaping and lack of prepared statements. The vulnerability requires a paid donation to exploit and affects the donation query processing logic. No public exploit code or active exploitation has been confirmed at the time of analysis, though the flaw is straightforward to weaponize given the low attack complexity and documented vulnerable code path.

WordPress SQLi
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-11497 MEDIUM This Month

Cross-Site Request Forgery in Advanced Database Cleaner plugin for WordPress (versions up to 3.1.6) allows unauthenticated attackers to modify the keep last setting through forged requests targeting the aDBc_prepare_elements_to_clean() function, provided a site administrator can be socially engineered into clicking a malicious link. The vulnerability stems from missing or incorrect nonce validation. While the CVSS score is moderate (4.3), exploitation requires user interaction (UI:R) and results in limited integrity impact (data modification rather than code execution or availability compromise). No public exploit code or active exploitation has been confirmed at time of analysis.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy