Description
The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insecure Direct Object Reference / Authorization Bypass leading to Arbitrary Attachment Deletion in versions up to, and including, 1.8.11.1 via the profile avatar update flow. This is due to the save_avatar() function in Charitable_Profile_Form calling wp_delete_attachment() on an attachment ID read from the user's 'avatar' meta without validating that the attachment is owned by the user, combined with Charitable_Data_Processor::process_picture() returning the raw posted value when no file is uploaded, allowing the 'avatar' user meta to be poisoned with any attacker-chosen attachment ID. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary attachments from the Media Library by performing a two-request chain (first poisoning the stored avatar meta value with a target attachment ID, then triggering deletion via a normal avatar upload).
Published: 2026-06-05
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the description, authentication is required with at least Subscriber-level permissions. The vulnerability is an insecure direct object reference that allows such authenticated users to delete arbitrary media attachments. The flaw originates in the profile avatar update function that calls wp_delete_attachment on an attachment ID read from user metadata without verifying ownership. By injecting a crafted value into the avatar meta field, an attacker can poison the metadata and then trigger deletion through a standard avatar upload. The impact is unauthorized loss of media files, which can disrupt site functionality, obscure transaction data, or cause a denial of service.

Affected Systems

The flaw affects the Charitable – Donation Plugin for WordPress made by smub, version 1.8.11.1 and earlier. Sites running any of these releases are vulnerable. No other versions are mentioned as affected.

Risk and Exploitability

The CVSS score of 4.3 reflects a media‑low risk; the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated WordPress user with at least Subscriber-level access and involves two steps: first poisoning the avatar metadata and then performing a photo upload. Although it does not lead to code execution or elevated privileges, the ability to delete any attachment represents a significant integrity breach that could be abused for sabotage or to remove evidence.

Generated by OpenCVE AI on June 6, 2026 at 01:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Charitable plugin to the most recent release where the avatar handling logic has been fixed.
  • Remove or reset any existing avatar metadata entries that contain non‑owner attachment IDs to eliminate poisoned references.
  • Restrict avatar upload capability to users with higher privileges or enforce ownership checks before deletion until a patch is installed.

Generated by OpenCVE AI on June 6, 2026 at 01:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/abstracts/abstract-class-charitable-form.php#L429 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/forms/class-charitable-profile-form.php#L724 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/forms/class-charitable-profile-form.php#L728 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/users/class-charitable-user.php#L986 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/utilities/class-charitable-data-processor.php#L270 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/abstracts/abstract-class-charitable-form.php#L429 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/forms/class-charitable-profile-form.php#L724 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/forms/class-charitable-profile-form.php#L728 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/users/class-charitable-user.php#L986 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/utilities/class-charitable-data-processor.php#L270 cve-icon cve-icon
https://plugins.trac.wordpress.org/changeset/3557047/charitable/trunk/includes/forms/class-charitable-profile-form.php?old=3435951&old_path=charitable%2Ftrunk%2Fincludes%2Fforms%2Fclass-charitable-profile-form.php cve-icon cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/657bea00-9709-48b8-807a-c9a18b0aee1d?source=cve cve-icon cve-icon
History

Sat, 06 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Smub
Smub charitable – Donation Plugin For Wordpress – Fundraising With Recurring Donations & More
Wordpress
Wordpress wordpress
Vendors & Products Smub
Smub charitable – Donation Plugin For Wordpress – Fundraising With Recurring Donations & More
Wordpress
Wordpress wordpress

Sat, 06 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insecure Direct Object Reference / Authorization Bypass leading to Arbitrary Attachment Deletion in versions up to, and including, 1.8.11.1 via the profile avatar update flow. This is due to the save_avatar() function in Charitable_Profile_Form calling wp_delete_attachment() on an attachment ID read from the user's 'avatar' meta without validating that the attachment is owned by the user, combined with Charitable_Data_Processor::process_picture() returning the raw posted value when no file is uploaded, allowing the 'avatar' user meta to be poisoned with any attacker-chosen attachment ID. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary attachments from the Media Library by performing a two-request chain (first poisoning the stored avatar meta value with a target attachment ID, then triggering deletion via a normal avatar upload).
Title Charitable <= 1.8.11.1 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Attachment Deletion via 'avatar' Parameter
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Smub Charitable – Donation Plugin For Wordpress – Fundraising With Recurring Donations & More
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-05T23:28:26.335Z

Reserved: 2026-05-28T19:32:46.255Z

Link: CVE-2026-10038

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-06T00:16:40.670

Modified: 2026-06-06T00:16:40.670

Link: CVE-2026-10038

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T02:00:10Z

Weaknesses