Skip to main content

FundEngine EUVDEUVD-2026-43479

| CVE-2026-57406 MEDIUM
Missing Authorization (CWE-862)
2026-07-13 Patchstack
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Network vector and no-auth access confirmed by CWE-862 with Authentication Bypass tag; limited I:L/A:L impact with no confidentiality breach matches plugin-scoped missing authorization.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 11:25 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Roxnor FundEngine wp-fundraising-donation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FundEngine: from n/a through <= 1.7.6.

AnalysisAI

Missing authorization in the FundEngine WordPress fundraising plugin (versions through 1.7.6) permits unauthenticated remote attackers to exploit incorrectly configured access control, resulting in partial data integrity and availability impact. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms low-complexity, unauthenticated network exploitation with no user interaction required. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running FundEngine ≤1.7.6
Exploit
Send unauthenticated HTTP request to vulnerable plugin endpoint
Execution
Bypass missing authorization check
Impact
Modify fundraising data or trigger availability disruption

Vulnerability AssessmentAI

Exploitation No authentication is required - the CVSS PR:N metric confirms unauthenticated network exploitation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 6.5 (Medium) reflects network-accessible, unauthenticated exploitation with limited impact - integrity loss (I:L) and availability disruption (A:L) but no confidentiality breach (C:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies a WordPress site running FundEngine ≤1.7.6 and sends crafted HTTP POST or GET requests to the plugin's exposed AJAX or REST API endpoints, bypassing the absent authorization checks. With no credentials or user interaction required, the attacker manipulates fundraising records or disrupts plugin availability, potentially undermining donor trust or corrupting campaign data. …
Remediation Update the FundEngine plugin to a version beyond 1.7.6 once a patched release becomes available from Roxnor. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43479 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy