CVE-2025-10186
BaseFortify
Publication date: 2025-10-15
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | whydonate | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the WhyDonate WordPress plugin, where a missing capability check in the remove_row function allows unauthenticated attackers to delete rows from the wp_wdplugin_style database table. Essentially, attackers can remove data without proper authorization.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized deletion of data from the plugin's database table, potentially disrupting the plugin's functionality or causing loss of important crowdfunding or fundraising data. Since attackers do not need to be authenticated, this poses a risk of data integrity issues.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the WhyDonate plugin to a version later than 4.0.14 where the missing capability check on the remove_row function is fixed. If an update is not available, consider disabling or removing the plugin until a patch is released to prevent unauthorized deletion of data.