Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-reachable WordPress endpoint, no credentials or interaction required, integrity-only impact limited to plugin-scope data modifications.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in Donation Thermometer <= 2.2.7 versions.
AnalysisAI
Broken access control in the Donation Thermometer WordPress plugin version 2.2.7 and earlier allows unauthenticated remote attackers to perform unauthorized actions with low integrity impact against affected WordPress installations. The flaw stems from missing authorization checks (CWE-862), permitting requests that should be gated behind authentication or capability checks to succeed without credentials. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 5.3 Medium reflects the limited impact scope.
Technical ContextAI
The Donation Thermometer is a WordPress plugin designed to display fundraising progress visually on WordPress sites. CWE-862 (Missing Authorization) indicates that one or more plugin endpoints or AJAX handlers fail to verify whether the requesting user possesses the required WordPress capability or nonce before executing a privileged operation. In WordPress, plugins commonly register wp_ajax and wp_ajax_nopriv hooks; failing to restrict the latter to authenticated users, or omitting capability checks on REST API routes, is a classic manifestation of this weakness. The CVSS vector AV:N/AC:L/PR:N/UI:N confirms the vulnerable endpoint is reachable over the network without any credentials or user interaction.
RemediationAI
The primary remediation is to update the Donation Thermometer plugin to a version beyond 2.2.7 as soon as a patched release becomes available from the plugin author; an exact fixed version was not confirmed in the available source data. Site administrators should check the WordPress plugin dashboard or the plugin's repository page for an updated release. As an interim workaround, if the plugin is not actively needed, deactivating or removing it eliminates the attack surface entirely with no functionality trade-off for the site beyond losing the thermometer widget. If the plugin must remain active, restricting access to WordPress AJAX endpoints (wp-admin/admin-ajax.php) via WAF rules or network controls may reduce exposure, though this can break legitimate plugin functionality. Reference the Patchstack advisory for updated patch information: https://patchstack.com/database/wordpress/plugin/donation-thermometer/vulnerability/wordpress-donation-thermometer-plugin-2-2-7-broken-access-control-vulnerability.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210354
GHSA-4m45-94j7-x2xc