CVE-2026-4650
Authorization Bypass in FundPress WordPress Donation Plugin
Publication date: 2026-05-02
Last updated on: 2026-05-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fundpress | donation_plugin | to 2.0.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The FundPress β WordPress Donation Plugin is vulnerable to an authorization bypass in versions up to and including 2.0.8. This happens because the donate_action_status() AJAX handler does not properly verify user permissions or nonce tokens. It only checks that a specific schema parameter is present and that required POST parameters exist, but it does not confirm if the user is authorized or owns the donation.
As a result, unauthenticated attackers can exploit this flaw by providing donation IDs, which are sequential and easy to guess, to change the status of any donation. They can mark donations as completed, pending, cancelled, or any other status, potentially triggering email notifications and other side effects.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to modify the status of any donation in the FundPress plugin. This can lead to unauthorized changes such as marking donations as completed or cancelled without permission.
Such unauthorized modifications could cause confusion, disrupt donation processing, and trigger unintended email notifications or other automated actions tied to donation status changes.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized AJAX requests to the donate_action_status() handler that are accessible without authentication. Specifically, look for POST requests containing the parameter schema=donate-ajax and donation IDs being modified without proper user authentication.
Commands to detect such activity could include using network monitoring tools like tcpdump or Wireshark to filter HTTP POST requests to the WordPress AJAX endpoint (usually /wp-admin/admin-ajax.php) with the parameter schema=donate-ajax.
- Example tcpdump command: tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep 'schema=donate-ajax'
- Use web server logs to search for POST requests to admin-ajax.php with schema=donate-ajax and check if they originate from unauthenticated IPs.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the FundPress WordPress Donation Plugin to a version later than 2.0.8 where this authorization bypass vulnerability is fixed.
If an update is not immediately available, restrict access to the AJAX handler by implementing additional authorization checks or disabling the vulnerable AJAX action for unauthenticated users.
Additionally, monitor and audit donation status changes for suspicious activity and consider temporarily disabling donation status modification features until a patch is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to modify the status of any donation, potentially triggering email notifications and related side effects. This unauthorized modification of donation data could lead to integrity issues and unauthorized data manipulation.
However, there is no explicit information provided about the direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.