Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in AdAstraCrypto Cryptocurrency Donation Box - Bitcoin & Crypto Donations cryptocurrency-donation-box allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cryptocurrency Donation Box - Bitcoin & Crypto Donations: from n/a through <= 2.2.13.
AnalysisAI
AdAstraCrypto Cryptocurrency Donation Box plugin for WordPress versions up to 2.2.13 allows unauthenticated remote attackers to modify cryptocurrency donation settings due to missing authorization checks on access control endpoints. The vulnerability enables unauthorized changes to donation configuration without requiring authentication or user interaction, though it does not expose sensitive data or cause denial of service. With an EPSS score of 0.02% and no evidence of active exploitation, this represents a low-probability but direct authorization bypass in a niche plugin.
Technical ContextAI
This vulnerability stems from a Missing Authorization weakness (CWE-862) in the AdAstraCrypto Cryptocurrency Donation Box WordPress plugin, a specialized plugin for accepting Bitcoin and cryptocurrency donations. WordPress plugins that handle financial transactions and configuration changes are expected to implement capability checks before processing sensitive operations. The plugin's API endpoints or administrative functions lack proper authorization validation, allowing the access control security levels to be bypassed entirely. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates the flaw is exploitable via the network with no special conditions or user interaction required, typical of REST API or AJAX endpoints that fail to verify user permissions before executing sensitive actions. Cryptocurrency-related plugins are high-value targets due to their direct interaction with financial transactions and wallet configurations.
RemediationAI
Update the Cryptocurrency Donation Box plugin to a version greater than 2.2.13 immediately; verify the latest patched version through the WordPress plugin repository or the Patchstack advisory. For sites unable to immediately update, disable the cryptocurrency donation functionality entirely or restrict access to donation configuration endpoints via Web Application Firewall rules limiting access to authenticated administrators only, though this is a temporary mitigation pending full patching. Confirm that all cryptocurrency donation addresses and settings have not been modified by reviewing the plugin's transaction logs and comparing configured wallet addresses against authoritative records. Consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/cryptocurrency-donation-box/) for the exact patched version number and additional hardening guidance.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20385