The WP Attractive Donations System plugin contains a CSRF flaw that allows an attacker to force an authenticated WordPress user to submit unintended requests on the site. This can lead to unauthorized financial transactions, unauthorized changes to donation settings, or other actions that the plugin exposes. The flaw is classified as CWE‑352 and therefore faces the risk of a compromised user session being abused without the user's knowledge.

All releases of Loopus’ WP Attractive Donations System – Easy Stripe & Paypal donations up to and including version 1.25 are affected; no specific sub‑version list or mitigation patch is listed for the earlier releases, meaning every deployment of the plugin in that version range is vulnerable.

The CVSS score of 4.3 indicates moderate severity. The EPSS score is less than 1 %, suggesting a low likelihood of exploitation. Based on the description, it is inferred that the likely attack vector is cross‑site request forgery that relies on the victim being logged into the WordPress site; the attacker can exploit the plugin’s lack of nonce validation to trigger desired actions such as fraudulent donations or configuration changes. The vulnerability is not listed in the CISA KEV catalog.