CVE-2026-3177
Insufficient Data Verification in Charitable Plugin Enables Donation Forgery
Publication date: 2026-04-07
Last updated on: 2026-04-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| charitable | donation_plugin | to 1.8.9.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Charitable β Donation Plugin for WordPress is vulnerable due to insufficient verification of data authenticity in versions up to and including 1.8.9.7. Specifically, the plugin lacks cryptographic verification of incoming Stripe webhook events.
This vulnerability allows unauthenticated attackers to forge payment_intent.succeeded webhook payloads, which can falsely mark pending donations as completed without an actual payment being made.
How can this vulnerability impact me? :
This vulnerability can lead to financial fraud by allowing attackers to mark donations as completed without real payments. This could result in inaccurate donation records and potential financial losses for organizations using the plugin.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to forge payment webhook payloads and mark donations as completed without real payments. This could lead to inaccurate financial records and potential misuse of donation data.
However, there is no specific information provided about how this vulnerability directly impacts compliance with common standards and regulations such as GDPR or HIPAA.