This vulnerability is a missing authorization flaw in the Cryptocurrency Donation Box – Bitcoin & Crypto Donations plugin. It enables an attacker to gain unauthorized access to the plugin’s configuration and potentially tamper with donation settings. The flaw is categorized as CWE‑862 – Missing Authorization. Unauthorized manipulation could compromise the integrity of the donation process and may allow a malicious actor to redirect funds or alter the displayed donation options.

The issue affects the AdAstraCrypto Cryptocurrency Donation Box – Bitcoin & Crypto Donations plugin for WordPress. All releases up to and including version 2.2.13 are vulnerable, meaning any site running one of those versions is at risk.

The CVSS score of 5.3 indicates a moderate impact, while the EPSS score of less than 1% suggests that exploitation is unlikely in the wild, and the vulnerability is not listed in the CISA KEV catalog. However, the attack vector is web‑based and requires the ability to send specially crafted HTTP requests to the WordPress site, which an attacker may achieve if they have any level of access to the web application or through phishing. Once accessed, an unprivileged user could modify donation settings without authentication.