Description
The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_data action in all versions up to, and including, 2.1.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to download all of a site's post content when WooCommerce is installed.
Published: 2025-03-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access
Action: Update Plugin
AI Analysis

Impact

The WP Crowdfunding plugin for WordPress has a missing capability check on the download_data action in all versions up to 2.1.14. This omission allows authenticated attackers with subscriber-level access or higher to download all of a site's post content when WooCommerce is installed. The result is an unauthorized leakage of confidential post data and a breach of data confidentiality.

Affected Systems

The affected vendor is Themeum, providing the WP Crowdfunding plugin. Versions up to and including 2.1.14 are vulnerable. The issue only manifests on WordPress sites that also have WooCommerce installed. All other WordPress installations without WooCommerce are not exposed to this specific download capability.

Risk and Exploitability

The CVSS score is 5.3, indicating a moderate severity. The EPSS score is below 1 %, suggesting a low likelihood of exploitation in the wild, and the vulnerability is not currently listed in CISA’s KEV catalog. Attackers must be authenticated; a subscriber or higher role is sufficient. Once authenticated, the attacker can simply request the download_data endpoint to pull every post. Because the flaw resides in a capability check, removal of the capability or updating the plugin mitigates the risk.

Generated by OpenCVE AI on April 22, 2026 at 01:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP Crowdfunding to the latest version that addresses the missing capability check.
  • If an immediate update is not possible, limit the download_data action to administrator roles or disable it until a patch is applied.
  • Verify that WooCommerce remains correctly configured and remove any unused download-related endpoints until the plugin is patched.

Generated by OpenCVE AI on April 22, 2026 at 01:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7404 The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_data action in all versions up to, and including, 2.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to download all of a site's post content when WooCommerce is installed.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_data action in all versions up to, and including, 2.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to download all of a site's post content when WooCommerce is installed. The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_data action in all versions up to, and including, 2.1.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to download all of a site's post content when WooCommerce is installed.
Title WP Crowdfunding <= 2.1.13 - Missing Authorization to Authenticated (Subscriber+) Post Content Download WP Crowdfunding <= 2.1.14 - Missing Authorization to Authenticated (Subscriber+) Post Content Download
References

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0005}

 epss

{'score': 0.00065}

Thu, 20 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Themeum
Themeum wp Crowdfunding
CPEs cpe:2.3:a:themeum:wp_crowdfunding:*:*:*:*:*:wordpress:*:*
Vendors & Products Themeum
Themeum wp Crowdfunding

Wed, 12 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Description The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_data action in all versions up to, and including, 2.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to download all of a site's post content when WooCommerce is installed.
Title WP Crowdfunding <= 2.1.13 - Missing Authorization to Authenticated (Subscriber+) Post Content Download
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Themeum Wp Crowdfunding
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:00:24.180Z

Reserved: 2025-02-20T19:01:35.576Z

Link: CVE-2025-1508

cve-icon Vulnrichment

Updated: 2025-03-12T13:28:13.480Z

cve-icon NVD

Status : Modified

Published: 2025-03-12T04:15:16.520

Modified: 2026-04-08T18:24:25.417

Link: CVE-2025-1508

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T02:00:05Z

Weaknesses