Skip to main content

Cryptocurrency Donation Box Bitcoin Crypto Donations EUVDEUVD-2026-20385

| CVE-2026-39691 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:43 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20385
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in AdAstraCrypto Cryptocurrency Donation Box - Bitcoin & Crypto Donations cryptocurrency-donation-box allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cryptocurrency Donation Box - Bitcoin & Crypto Donations: from n/a through <= 2.2.13.

AnalysisAI

AdAstraCrypto Cryptocurrency Donation Box plugin for WordPress versions up to 2.2.13 allows unauthenticated remote attackers to modify cryptocurrency donation settings due to missing authorization checks on access control endpoints. The vulnerability enables unauthorized changes to donation configuration without requiring authentication or user interaction, though it does not expose sensitive data or cause denial of service. With an EPSS score of 0.02% and no evidence of active exploitation, this represents a low-probability but direct authorization bypass in a niche plugin.

Technical ContextAI

This vulnerability stems from a Missing Authorization weakness (CWE-862) in the AdAstraCrypto Cryptocurrency Donation Box WordPress plugin, a specialized plugin for accepting Bitcoin and cryptocurrency donations. WordPress plugins that handle financial transactions and configuration changes are expected to implement capability checks before processing sensitive operations. The plugin's API endpoints or administrative functions lack proper authorization validation, allowing the access control security levels to be bypassed entirely. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates the flaw is exploitable via the network with no special conditions or user interaction required, typical of REST API or AJAX endpoints that fail to verify user permissions before executing sensitive actions. Cryptocurrency-related plugins are high-value targets due to their direct interaction with financial transactions and wallet configurations.

RemediationAI

Update the Cryptocurrency Donation Box plugin to a version greater than 2.2.13 immediately; verify the latest patched version through the WordPress plugin repository or the Patchstack advisory. For sites unable to immediately update, disable the cryptocurrency donation functionality entirely or restrict access to donation configuration endpoints via Web Application Firewall rules limiting access to authenticated administrators only, though this is a temporary mitigation pending full patching. Confirm that all cryptocurrency donation addresses and settings have not been modified by reviewing the plugin's transaction logs and comparing configured wallet addresses against authoritative records. Consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/cryptocurrency-donation-box/) for the exact patched version number and additional hardening guidance.

Share

EUVD-2026-20385 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy