CVE-2026-4650
Deferred Deferred - Pending Action
Authorization Bypass in FundPress WordPress Donation Plugin

Publication date: 2026-05-02

Last updated on: 2026-05-05

Assigner: Wordfence

Description
The FundPress – WordPress Donation Plugin for WordPress is vulnerable to authorization bypass in versions up to and including 2.0.8. This is due to missing authorization and nonce verification in the donate_action_status() AJAX handler, which is registered to be accessible to unauthenticated users via wp_ajax_nopriv. The function only validates that the schema parameter equals 'donate-ajax' and that the required POST parameters are present, but fails to verify user capabilities, nonce tokens, or donation ownership. This makes it possible for unauthenticated attackers to modify the status of any donation by providing its ID (which are sequential integers and easily enumerable), allowing them to mark donations as completed, pending, cancelled, or any arbitrary status, potentially triggering email notifications and related side effects.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-02
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4650
EUVD
EUVD-2026-26755
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fundpress donation_plugin to 2.0.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The FundPress – WordPress Donation Plugin is vulnerable to an authorization bypass in versions up to and including 2.0.8. This happens because the donate_action_status() AJAX handler does not properly verify user permissions or nonce tokens. It only checks that a specific schema parameter is present and that required POST parameters exist, but it does not confirm if the user is authorized or owns the donation.

As a result, unauthenticated attackers can exploit this flaw by providing donation IDs, which are sequential and easy to guess, to change the status of any donation. They can mark donations as completed, pending, cancelled, or any other status, potentially triggering email notifications and other side effects.

Impact Analysis

This vulnerability allows unauthenticated attackers to modify the status of any donation in the FundPress plugin. This can lead to unauthorized changes such as marking donations as completed or cancelled without permission.

Such unauthorized modifications could cause confusion, disrupt donation processing, and trigger unintended email notifications or other automated actions tied to donation status changes.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized AJAX requests to the donate_action_status() handler that are accessible without authentication. Specifically, look for POST requests containing the parameter schema=donate-ajax and donation IDs being modified without proper user authentication.

Commands to detect such activity could include using network monitoring tools like tcpdump or Wireshark to filter HTTP POST requests to the WordPress AJAX endpoint (usually /wp-admin/admin-ajax.php) with the parameter schema=donate-ajax.

  • Example tcpdump command: tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep 'schema=donate-ajax'
  • Use web server logs to search for POST requests to admin-ajax.php with schema=donate-ajax and check if they originate from unauthenticated IPs.
Mitigation Strategies

Immediate mitigation steps include updating the FundPress WordPress Donation Plugin to a version later than 2.0.8 where this authorization bypass vulnerability is fixed.

If an update is not immediately available, restrict access to the AJAX handler by implementing additional authorization checks or disabling the vulnerable AJAX action for unauthenticated users.

Additionally, monitor and audit donation status changes for suspicious activity and consider temporarily disabling donation status modification features until a patch is applied.

Compliance Impact

The vulnerability allows unauthenticated attackers to modify the status of any donation, potentially triggering email notifications and related side effects. This unauthorized modification of donation data could lead to integrity issues and unauthorized data manipulation.

However, there is no explicit information provided about the direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4650. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart