CVE-2026-4650 - Vulnerability Details

Description

The FundPress – WordPress Donation Plugin for WordPress is vulnerable to authorization bypass in versions up to and including 2.0.8. This is due to missing authorization and nonce verification in the donate_action_status() AJAX handler, which is registered to be accessible to unauthenticated users via wp_ajax_nopriv. The function only validates that the schema parameter equals 'donate-ajax' and that the required POST parameters are present, but fails to verify user capabilities, nonce tokens, or donation ownership. This makes it possible for unauthenticated attackers to modify the status of any donation by providing its ID (which are sequential integers and easily enumerable), allowing them to mark donations as completed, pending, cancelled, or any arbitrary status, potentially triggering email notifications and related side effects.

Published: 2026-05-02

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The FundPress WordPress donation plugin contains a missing authorization check in its donate_action_status AJAX handler. When a request is received from an unauthenticated user, the function validates only the schema parameter and the presence of POST variables without verifying nonce tokens, user capabilities, or donation ownership. This allows an attacker to supply any numeric donation ID—which is sequential and easily enumerated—to change the status of that donation to any value, such as completed, pending, or cancelled. The change can trigger email notifications and other side effects associated with the status change, potentially creating confusion or financial inaccuracies.

Affected Systems

The vulnerability affects the FundPress plugin for WordPress in versions up to and including 2.0.8. The issue exists in the code by which the plugin registers the donate_action_status function as a wp_ajax_nopriv endpoint, making it reachable to any visitor of the site. No other vendor or product is impacted by this specific flaw.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, suggesting that public exploitation is not yet confirmed. Attackers can exploit the flaw by sending HTTP POST requests to the donate_action_status endpoint from any network. Since the donation IDs are simple, sequential integers, enumeration is trivial, and the exploit requires no authentication or additional credentials. While the risk is moderate, the potential for financial impact or administrative misrepresentation warrants timely remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

thimpress

FundPress – WordPress Donation Plugin

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.0.8

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update FundPress to version 2.0.9 or higher, which removes the unauthenticated AJAX handler for donation status changes.
If an immediate update is not possible, block unauthenticated access to the donate_action_status endpoint using a web‑application firewall or by adding a rule that requires a valid nonce or user capability before processing the request.
Audit and revoke any email notifications that may have been triggered by unauthorized status changes, and examine donation records for inconsistencies caused by unapproved status modifications.

Generated by OpenCVE AI on May 2, 2026 at 09:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00022.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/fundpress/tags/2.0.8/inc/class-dn-ajax.php#L173
https://plugins.trac.wordpress.org/browser/fundpress/tags/2.0.8/inc/class-dn-ajax.php#L179
https://plugins.trac.wordpress.org/browser/fundpress/tags/2.0.8/inc/class-dn-donate.php#L189
https://plugins.trac.wordpress.org/browser/fundpress/tags/2.0.9/inc/class-dn-ajax.php#L179
https://plugins.trac.wordpress.org/browser/fundpress/trunk/inc/class-dn-ajax.php#L173
https://plugins.trac.wordpress.org/browser/fundpress/trunk/inc/class-dn-ajax.php#L179
https://plugins.trac.wordpress.org/browser/fundpress/trunk/inc/class-dn-donate.php#L189
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3502937%40fundpress&new=3502937%40fundpress&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/5db3c66f-0a9c-4233-923c-0965dec68c60?source=cve

History

Sat, 02 May 2026 08:00:00 +0000

Type	Values Removed	Values Added
Description		The FundPress – WordPress Donation Plugin for WordPress is vulnerable to authorization bypass in versions up to and including 2.0.8. This is due to missing authorization and nonce verification in the donate_action_status() AJAX handler, which is registered to be accessible to unauthenticated users via wp_ajax_nopriv. The function only validates that the schema parameter equals 'donate-ajax' and that the required POST parameters are present, but fails to verify user capabilities, nonce tokens, or donation ownership. This makes it possible for unauthenticated attackers to modify the status of any donation by providing its ID (which are sequential integers and easily enumerable), allowing them to mark donations as completed, pending, cancelled, or any arbitrary status, potentially triggering email notifications and related side effects.
Title		FundPress <= 2.0.8 - Missing Authorization to Unauthenticated Arbitrary Donation Status Modification via donate_action_status AJAX Handler
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/fundpress/tags/2.0.8/inc/class-dn-ajax.php#L173 https://plugins.trac.wordpress.org/browser/fundpress/tags/2.0.8/inc/class-dn-ajax.php#L179 https://plugins.trac.wordpress.org/browser/fundpress/tags/2.0.8/inc/class-dn-donate.php#L189 https://plugins.trac.wordpress.org/browser/fundpress/tags/2.0.9/inc/class-dn-ajax.php#L179 https://plugins.trac.wordpress.org/browser/fundpress/trunk/inc/class-dn-ajax.php#L173 https://plugins.trac.wordpress.org/browser/fundpress/trunk/inc/class-dn-ajax.php#L179 https://plugins.trac.wordpress.org/browser/fundpress/trunk/inc/class-dn-donate.php#L189 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3502937%40fundpress&new=3502937%40fundpress&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/5db3c66f-0a9c-4233-923c-0965dec68c60?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-02T07:46:39.963Z

Updated: 2026-05-02T07:46:39.963Z

Reserved: 2026-03-23T14:25:12.853Z

Link: CVE-2026-4650

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-02T08:16:27.307

Modified: 2026-05-02T08:16:27.307

Link: CVE-2026-4650

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T10:00:06Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object