Description
Cross-Site Request Forgery (CSRF) vulnerability in Roxnor FundEngine wp-fundraising-donation allows Cross Site Request Forgery.This issue affects FundEngine: from n/a through <= 1.7.3.
Published: 2025-05-07
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Cross‑Site Request Forgery (CSRF) flaw exists in the Roxnor FundEngine WordPress plugin that enables an attacker to provoke an authenticated user into sending requests to the plugin without the user’s consent. The vulnerability arises because the plugin fails to prevent or validate forged requests, potentially allowing unintended changes or actions through the user’s session. This weakness falls under CWE‑352 and affects the confidentiality, integrity, and availability of donation data if exploited.

Affected Systems

The Roxnor FundEngine wp‑fundraising‑donation plugin, from the earliest available release through 1.7.3, is impacted. Any WordPress site running one of these versions is at risk. The vendor is listed as Roxnor:FundEngine.

Risk and Exploitability

The CVSS score of 4.3 suggest moderate severity, while the EPSS score of less than 1% indicates that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. The likely attack path involves a malicious site sending a forged request that the authenticated user unknowingly processes while logged into WordPress. Successful exploitation requires the target to be logged in with a role that can interact with the plugin’s functionality.

Generated by OpenCVE AI on May 1, 2026 at 08:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Roxnor FundEngine plugin to a version newer than 1.7.3 once an official patch is available.
  • Disable or remove the plugin until an update is installed, or restrict access to the plugin’s administrative pages.
  • Enable WordPress’s built‑in CSRF protection mechanisms, such as nonces or the same‑site cookie attribute, to reduce the risk of forged requests when the plugin cannot enforce its own protection.

Generated by OpenCVE AI on May 1, 2026 at 08:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13856 Cross-Site Request Forgery (CSRF) vulnerability in XpeedStudio WP Fundraising Donation and Crowdfunding Platform allows Cross Site Request Forgery. This issue affects WP Fundraising Donation and Crowdfunding Platform: from n/a through 1.7.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in XpeedStudio WP Fundraising Donation and Crowdfunding Platform allows Cross Site Request Forgery. This issue affects WP Fundraising Donation and Crowdfunding Platform: from n/a through 1.7.3. Cross-Site Request Forgery (CSRF) vulnerability in Roxnor FundEngine wp-fundraising-donation allows Cross Site Request Forgery.This issue affects FundEngine: from n/a through <= 1.7.3.
Title WordPress WP Fundraising Donation and Crowdfunding Platform <= 1.7.3 - Cross Site Request Forgery (CSRF) Vulnerability WordPress WP Fundraising Donation and Crowdfunding Platform plugin <= 1.7.3 - Cross Site Request Forgery (CSRF) Vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00017}

 epss

{'score': 0.0002}

Wed, 07 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in XpeedStudio WP Fundraising Donation and Crowdfunding Platform allows Cross Site Request Forgery. This issue affects WP Fundraising Donation and Crowdfunding Platform: from n/a through 1.7.3.
Title WordPress WP Fundraising Donation and Crowdfunding Platform <= 1.7.3 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:41.634Z

Reserved: 2025-05-07T09:38:48.852Z

Link: CVE-2025-47459

cve-icon Vulnrichment

Updated: 2025-05-07T17:21:27.086Z

cve-icon NVD

Status : Deferred

Published: 2025-05-07T15:15:59.990

Modified: 2026-04-23T15:30:15.413

Link: CVE-2025-47459

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:00:12Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)