Description
The Bitcoin Donate Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to modify the plugin's settings, including donation addresses and display configurations, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-01-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Settings Modification via CSRF
Action: Patch Now
AI Analysis

Impact

The Bitcoin Donate Button plugin for WordPress has a Cross‑Site Request Forgery flaw caused by missing or incorrect nonce validation on its settings page. An attacker who can trick a site administrator into clicking a crafted link can forge a request that alters the plugin’s configuration, such as changing donation addresses or display options. This compromises the integrity of the donation process and can lead to financial loss by redirecting funds to attacker‑controlled addresses.

Affected Systems

All installations of the Bitcoin Donate Button plugin up to and including version 1.0 from the vendor lxicon are affected. The vulnerability is present in every version up to the 1.0 release; no later versions are documented as affected.

Risk and Exploitability

The CVSS base score is 4.3, indicating a moderate severity. The EPSS score is less than 1 %, implying a low likelihood of exploitation at the present time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is likely local with a need for the administrator to click a malicious link; the attacker does not need to be authenticated but requires social engineering of an admin. The risk is moderate, with potential for financial damage if an attacker can reconfigure payment addresses.

Generated by OpenCVE AI on April 15, 2026 at 18:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Bitcoin Donate Button plugin to the latest available version that implements proper nonce checks for settings updates.
  • If an upgrade cannot be applied immediately, add a server‑side or WordPress‑level filter that requires a valid nonce or referer check for requests targeting the settings endpoint, thereby preventing unauthenticated CSRF requests.
  • Restrict the ability to modify plugin settings to a small set of trusted administrators and enable multi‑factor authentication for admin accounts to reduce the likelihood of successful social‑engineering attempts.

Generated by OpenCVE AI on April 15, 2026 at 18:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Lxicon
Lxicon bitcoin Donate Button
Wordpress
Wordpress wordpress
Vendors & Products Lxicon
Lxicon bitcoin Donate Button
Wordpress
Wordpress wordpress

Wed, 28 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 11:30:00 +0000

Type Values Removed Values Added
Description The Bitcoin Donate Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to modify the plugin's settings, including donation addresses and display configurations, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Bitcoin Donate Button <= 1.0 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Lxicon Bitcoin Donate Button
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:47:28.346Z

Reserved: 2026-01-23T18:34:44.736Z

Link: CVE-2026-1380

cve-icon Vulnrichment

Updated: 2026-01-28T14:34:46.569Z

cve-icon NVD

Status : Deferred

Published: 2026-01-28T12:15:52.887

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1380

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T19:00:12Z

Weaknesses