CVE-2026-57406
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-57406, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: Patchstack

Description

Missing Authorization vulnerability in Roxnor FundEngine wp-fundraising-donation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FundEngine: from n/a through <= 1.7.6.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
roxnor fundengine to 1.7.6 (inc)
patchstack wp_fundraising_donation From 1.0.0 (inc) to 1.7.6 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability is a Broken Access Control issue in the WordPress FundEngine Plugin (versions 1.7.6 and below). It occurs because of missing authorization, authentication, or nonce token checks, which allows unauthenticated users to perform actions that should require higher privileges.

This means that attackers can exploit incorrectly configured access control security levels to carry out unauthorized actions on affected websites.

Impact Analysis

This vulnerability can allow attackers to perform higher-privileged actions without authentication, potentially compromising the integrity of your website.

It is considered moderately dangerous and may be exploited in mass campaigns targeting thousands of websites, which could lead to unauthorized changes, data manipulation, or service disruption.

Immediate action is advised to prevent exploitation, such as updating the plugin to version 1.7.7 or later or applying mitigation rules.

Detection Guidance

This vulnerability allows unauthenticated users to perform higher-privileged actions due to missing authorization checks in the WordPress FundEngine Plugin versions 1.7.6 and below.

Detection can involve monitoring for unusual or unauthorized access attempts to the wp-fundraising-donation plugin endpoints, especially those that should require authentication.

While specific commands are not provided in the resources, typical detection methods include reviewing web server logs for suspicious requests targeting FundEngine plugin URLs and using intrusion detection systems (IDS) with rules to identify attempts to exploit broken access control.

Mitigation Strategies

Immediate mitigation steps include updating the WordPress FundEngine Plugin to version 1.7.7 or later, where the vulnerability is fixed.

Until the update can be applied, it is advised to implement a mitigation rule provided by Patchstack to block attacks targeting this vulnerability.

Additionally, seeking assistance from your hosting provider or a web developer to apply temporary access controls or firewall rules can help reduce the risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57406. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart