Description
Cross-Site Request Forgery (CSRF) vulnerability in kanwei_doublethedonation Double the Donation double-the-donation allows Cross Site Request Forgery.This issue affects Double the Donation: from n/a through <= 2.0.0.
Published: 2025-09-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Double the Donation WordPress plugin up to version 2.0.0 contains a cross‑site request forgery flaw. An attacker can craft a request that is accepted by the plugin as if it came from an authenticated user, allowing the illicit execution of plugin‑specific actions. Because the flaw is a standard CSRF weakness – CWE‑352 – it can be exploited simply by getting a site visitor to load a crafted URL or submit a form that triggers the vulnerable endpoint. The result is that the attacker can alter donation settings, trigger unwanted donation submissions, or otherwise misuse the plugin’s functionality without permission.

Affected Systems

WordPress sites using the Double the Donation plugin by kanwei, any installed version up through 2.0.0.

Risk and Exploitability

The vulnerability received a CVSS score of 4.3, indicating moderate severity. EPSS shows an exploitation probability of less than 1%, so the likelihood of a successful exploit is currently low. The issue is not listed in the CISA KEV catalog. With a standard CSRF attack surface, an attacker would need only to trick a legitimate user or place a malicious link on a trusted page to trigger the vulnerability, making it technically straightforward but not yet widely evidenced in the wild.

Generated by OpenCVE AI on April 30, 2026 at 00:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Double the Donation to version 2.0.1 or newer if available
  • If an upgrade is not immediately possible, disable the plugin’s functionality that can be abused via CSRF or remove the plugin entirely
  • Implement site‑wide CSRF protection measures, such as verifying a unique token on state‑changing requests
  • Consider using a firewall rule to block or rate‑limit POST requests to the plugin’s known endpoints until the patch is applied

Generated by OpenCVE AI on April 30, 2026 at 00:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30693 Cross-Site Request Forgery (CSRF) vulnerability in kanwei_doublethedonation Double the Donation allows Cross Site Request Forgery. This issue affects Double the Donation: from n/a through 2.0.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in kanwei_doublethedonation Double the Donation allows Cross Site Request Forgery. This issue affects Double the Donation: from n/a through 2.0.0. Cross-Site Request Forgery (CSRF) vulnerability in kanwei_doublethedonation Double the Donation double-the-donation allows Cross Site Request Forgery.This issue affects Double the Donation: from n/a through <= 2.0.0.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Tue, 23 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in kanwei_doublethedonation Double the Donation allows Cross Site Request Forgery. This issue affects Double the Donation: from n/a through 2.0.0.
Title WordPress Double the Donation Plugin <= 2.0.0 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:38.779Z

Reserved: 2025-08-22T11:36:24.370Z

Link: CVE-2025-57930

cve-icon Vulnrichment

Updated: 2025-09-23T15:40:06.041Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:15:50.280

Modified: 2026-04-23T15:33:03.167

Link: CVE-2025-57930

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:45:24Z

Weaknesses