Description
The WhyDonate – FREE Donate button – Crowdfunding – Fundraising plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the remove_row function in all versions up to, and including, 4.0.15. This makes it possible for unauthenticated attackers to delete rows from the wp_wdplugin_style table.
Published: 2025-10-15
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized deletion of plugin data
Action: Apply Update
AI Analysis

Impact

The WhyDonate WordPress plugin is vulnerable because it lacks a capability check when executing the remove_row function. This omission allows an unauthenticated attacker to send requests that delete rows from the plugin’s database table wp_wdplugin_style, which stores campaign style data. The result is a loss or alteration of campaign presentation settings, potentially disrupting fundraising pages and erasing configured styles. The weakness is classified as a missing authorization flaw (CWE‑862).

Affected Systems

This weakness affects the WhyDonate – FREE Donate button – Crowdfunding – Fundraising plugin published by jjlemstra. All releases through and including version 4.0.15 are vulnerable. WordPress sites that have any of these versions installed are at risk. More recent releases beyond 4.0.15 are presumed fixed.

Risk and Exploitability

The CVSS base score is 5.3, indicating a moderate severity. The EPSS score of less than 1% indicates that, at the time of reporting, exploitation is considered unlikely, possibly because the attack requires unauthenticated HTTP requests to a non‑public endpoint. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw by directly calling the remove_row endpoint via an unauthenticated request, provided the website has the plugin active. Therefore, while the risk is moderate, exploitation is limited to sites that have not applied the recent patch.

Generated by OpenCVE AI on April 22, 2026 at 13:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WhyDonate plugin to the latest release that includes the authorization fix.
  • Apply a temporary capability check or disable the remove_row endpoint so that only administrator users can invoke it.
  • Deactivate or uninstall the plugin if it is not required until the patch is applied.

Generated by OpenCVE AI on April 22, 2026 at 13:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The WhyDonate – FREE Donate button – Crowdfunding – Fundraising plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the remove_row function in all versions up to, and including, 4.0.14. This makes it possible for unauthenticated attackers to delete rows from the wp_wdplugin_style table. The WhyDonate – FREE Donate button – Crowdfunding – Fundraising plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the remove_row function in all versions up to, and including, 4.0.15. This makes it possible for unauthenticated attackers to delete rows from the wp_wdplugin_style table.
Title WhyDonate – FREE Donate button – Crowdfunding – Fundraising <= 4.0.14 - Missing Authorization to Unauthenticated wp_wdplugin_style Rww Deletion WhyDonate – FREE Donate button – Crowdfunding – Fundraising <= 4.0.15 - Missing Authorization to Unauthenticated wp_wdplugin_style Rww Deletion
References

Tue, 21 Oct 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Whydonate
Whydonate wp Whydonate
Wordpress
Wordpress wordpress
Vendors & Products Whydonate
Whydonate wp Whydonate
Wordpress
Wordpress wordpress

Wed, 15 Oct 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Oct 2025 08:45:00 +0000

Type Values Removed Values Added
Description The WhyDonate – FREE Donate button – Crowdfunding – Fundraising plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the remove_row function in all versions up to, and including, 4.0.14. This makes it possible for unauthenticated attackers to delete rows from the wp_wdplugin_style table.
Title WhyDonate – FREE Donate button – Crowdfunding – Fundraising <= 4.0.14 - Missing Authorization to Unauthenticated wp_wdplugin_style Rww Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Whydonate Wp Whydonate
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:47:25.746Z

Reserved: 2025-09-09T15:17:41.637Z

Link: CVE-2025-10186

cve-icon Vulnrichment

Updated: 2025-10-15T19:44:01.669Z

cve-icon NVD

Status : Deferred

Published: 2025-10-15T09:15:38.467

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10186

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:15:17Z

Weaknesses