Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
The FundPress - WordPress Donation Plugin for WordPress is vulnerable to authorization bypass in versions up to and including 2.0.8. This is due to missing authorization and nonce verification in the donate_action_status() AJAX handler, which is registered to be accessible to unauthenticated users via wp_ajax_nopriv. The function only validates that the schema parameter equals 'donate-ajax' and that the required POST parameters are present, but fails to verify user capabilities, nonce tokens, or donation ownership. This makes it possible for unauthenticated attackers to modify the status of any donation by providing its ID (which are sequential integers and easily enumerable), allowing them to mark donations as completed, pending, cancelled, or any arbitrary status, potentially triggering email notifications and related side effects.
AnalysisAI
Unauthenticated attackers can bypass authorization controls in FundPress WordPress Donation Plugin versions up to 2.0.8 to arbitrarily modify donation statuses via the donate_action_status() AJAX handler, which lacks nonce verification and capability checks despite being exposed to unauthenticated users. By enumerating sequential donation IDs and sending crafted POST requests, attackers can mark donations as completed, pending, or cancelled, potentially triggering email notifications and corrupting donation records without any user interaction or authentication.
Technical ContextAI
FundPress registers the donate_action_status() AJAX handler via wp_ajax_nopriv, a WordPress hook that explicitly makes an action accessible to unauthenticated users. The handler is designed to validate only the 'schema' parameter (checking it equals 'donate-ajax') and the presence of required POST fields, but implements no capability checks (via current_user_can()), nonce verification (via wp_verify_nonce()), or ownership validation. Since WordPress donation IDs are sequential integers, they are trivial to enumerate. The CWE-862 (Missing Authorization) root cause stems from the complete absence of access control logic that should verify either user authentication or ownership of the donation record being modified.
RemediationAI
Upgrade FundPress to version 2.0.9 or later, which implements proper nonce verification and capability checks in the AJAX handler. Website administrators should immediately audit donation records in versions 2.0.8 and earlier for any suspicious status changes, particularly those lacking corresponding payment gateway confirmations. As a temporary workaround on vulnerable versions, use a Web Application Firewall or .htaccess rules to block unauthenticated POST requests to wp-admin/admin-ajax.php with action=donate_action_status, though this may impact legitimate functionality if the plugin requires unauthenticated AJAX calls for other features. Alternatively, disable the FundPress plugin entirely until the upgrade is feasible. Check the Wordfence vulnerability disclosure (https://www.wordfence.com/threat-intel/vulnerabilities/id/5db3c66f-0a9c-4233-923c-0965dec68c60) for the latest patched version and verify via the WordPress plugin repository at plugins.trac.wordpress.org.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26755