Skip to main content

Donation Thermometer CVE-2025-64636

| EUVDEUVD-2025-210354 MEDIUM
Missing Authorization (CWE-862)
2026-06-26 audit@patchstack.com GHSA-4m45-94j7-x2xc
5.3
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable WordPress endpoint, no credentials or interaction required, integrity-only impact limited to plugin-scope data modifications.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:03 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in Donation Thermometer <= 2.2.7 versions.

AnalysisAI

Broken access control in the Donation Thermometer WordPress plugin version 2.2.7 and earlier allows unauthenticated remote attackers to perform unauthorized actions with low integrity impact against affected WordPress installations. The flaw stems from missing authorization checks (CWE-862), permitting requests that should be gated behind authentication or capability checks to succeed without credentials. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 5.3 Medium reflects the limited impact scope.

Technical ContextAI

The Donation Thermometer is a WordPress plugin designed to display fundraising progress visually on WordPress sites. CWE-862 (Missing Authorization) indicates that one or more plugin endpoints or AJAX handlers fail to verify whether the requesting user possesses the required WordPress capability or nonce before executing a privileged operation. In WordPress, plugins commonly register wp_ajax and wp_ajax_nopriv hooks; failing to restrict the latter to authenticated users, or omitting capability checks on REST API routes, is a classic manifestation of this weakness. The CVSS vector AV:N/AC:L/PR:N/UI:N confirms the vulnerable endpoint is reachable over the network without any credentials or user interaction.

RemediationAI

The primary remediation is to update the Donation Thermometer plugin to a version beyond 2.2.7 as soon as a patched release becomes available from the plugin author; an exact fixed version was not confirmed in the available source data. Site administrators should check the WordPress plugin dashboard or the plugin's repository page for an updated release. As an interim workaround, if the plugin is not actively needed, deactivating or removing it eliminates the attack surface entirely with no functionality trade-off for the site beyond losing the thermometer widget. If the plugin must remain active, restricting access to WordPress AJAX endpoints (wp-admin/admin-ajax.php) via WAF rules or network controls may reduce exposure, though this can break legitimate plugin functionality. Reference the Patchstack advisory for updated patch information: https://patchstack.com/database/wordpress/plugin/donation-thermometer/vulnerability/wordpress-donation-thermometer-plugin-2-2-7-broken-access-control-vulnerability.

Share

CVE-2025-64636 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy