Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Network vector and no-auth access confirmed by CWE-862 with Authentication Bypass tag; limited I:L/A:L impact with no confidentiality breach matches plugin-scoped missing authorization.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in Roxnor FundEngine wp-fundraising-donation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FundEngine: from n/a through <= 1.7.6.
AnalysisAI
Missing authorization in the FundEngine WordPress fundraising plugin (versions through 1.7.6) permits unauthenticated remote attackers to exploit incorrectly configured access control, resulting in partial data integrity and availability impact. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms low-complexity, unauthenticated network exploitation with no user interaction required. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No authentication is required - the CVSS PR:N metric confirms unauthenticated network exploitation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 6.5 (Medium) reflects network-accessible, unauthenticated exploitation with limited impact - integrity loss (I:L) and availability disruption (A:L) but no confidentiality breach (C:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker identifies a WordPress site running FundEngine ≤1.7.6 and sends crafted HTTP POST or GET requests to the plugin's exposed AJAX or REST API endpoints, bypassing the absent authorization checks. With no credentials or user interaction required, the attacker manipulates fundraising records or disrupts plugin availability, potentially undermining donor trust or corrupting campaign data. … |
| Remediation | Update the FundEngine plugin to a version beyond 1.7.6 once a patched release becomes available from Roxnor. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Fundengine
View allThe WP Fundraising Donation and Crowdfunding Platform WordPress plugin before 1.5.0 does not sanitise and escape a param
The FundEngine plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.7.0. R
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43479