CVE-2026-10038
Authorization Bypass Leads to Arbitrary Attachment Deletion in Charitable WordPress Plugin
Publication date: 2026-06-06
Last updated on: 2026-06-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| charitable | charitable | to 1.8.11.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Charitable β Donation Plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) and Authorization Bypass issue that allows arbitrary deletion of attachments. This happens because the plugin's save_avatar() function deletes an attachment based on an attachment ID stored in the user's 'avatar' meta without verifying if the user owns that attachment. An attacker can manipulate the 'avatar' meta to contain any attachment ID, enabling them to delete arbitrary files from the Media Library by performing two requests: first, poisoning the avatar meta with a target attachment ID, then triggering the deletion via a normal avatar upload.
How can this vulnerability impact me? :
This vulnerability allows authenticated users with Subscriber-level access or higher to delete any attachment in the WordPress Media Library, not just their own. This could lead to loss of important media files, disruption of website content, and potential damage to the site's integrity and user experience.