Description
The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to SQL Injection via the donation_ids parameter in all versions up to, and including, 1.8.8.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation of the vulnerability requires a paid donation.
Published: 2025-10-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection that can expose sensitive database information
Action: Immediate Patch
AI Analysis

Impact

A user‑supplied parameter, donation_ids, is insufficiently escaped within the Charitable plugin’s SQL queries. This flaw leads to an injectable query vector that allows the attacker to append and execute additional SQL commands, potentially extracting confidential data from the WordPress database. The vulnerability is a classic CWE‑89 case of unsanitized input being embedded into a database statement.

Affected Systems

The affected product is the Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More by smub. Versions up to and including 1.8.8.4 are vulnerable. The plugin runs within the WordPress environment and provides donation handling features to site users.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS score of less than 1% signals a low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. It is inferred from the description that an attacker must possess at least Subscriber‑level permissions and successfully create a paid donation to inject the malicious donation_ids value. Once injected, the attacker can exploit the raw SQL query to retrieve or manipulate sensitive database content.

Generated by OpenCVE AI on April 22, 2026 at 12:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Charitable to the latest release that contains the fix for the SQL injection issue.
  • Until a patch is applied, disable or restrict the donation processing functionality for subscriber and lower roles to prevent exploitation.
  • Implement strict input validation for the donation_ids field, allowing only numeric identifiers and properly escaping any user input before it is incorporated into database queries.

Generated by OpenCVE AI on April 22, 2026 at 12:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Mon, 24 Nov 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Smub
Smub charitable–donation Plugin For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Smub
Smub charitable–donation Plugin For Wordpress
Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 25 Oct 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to SQL Injection via the donation_ids parameter in all versions up to, and including, 1.8.8.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation of the vulnerability requires a paid donation.
Title Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More <= 1.8.8.4 - Authenticated (Subscriber+) SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Smub Charitable–donation Plugin For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:49:52.670Z

Reserved: 2025-10-16T20:12:20.027Z

Link: CVE-2025-11893

cve-icon Vulnrichment

Updated: 2025-10-27T15:53:21.155Z

cve-icon NVD

Status : Deferred

Published: 2025-10-25T07:15:40.540

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11893

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:45:17Z

Weaknesses