Description
The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 1.8.10.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with access to the donation management admin area (requiring the edit_others_donations capability) and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-05-13
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Charitable donation plugin allows authenticated administrators to submit an 's' query parameter that is incorporated directly into an SQL statement without proper escaping. This flaw permits attackers with edit_others_donations capability to inject additional SQL clauses, enabling extraction of sensitive data from the WordPress database. The weakness is a classic example of a parameter‐level SQL injection (CWE‑89).

Affected Systems

The flaw exists in all released versions of the Charitable plugin up to and including 1.8.10.4. Users running any of these versions on WordPress are vulnerable if they have access to the donation management admin area. The issue is confined to the donation management component and does not affect the core WordPress installation or other plugins.

Risk and Exploitability

With a CVSS score of 6.5 the vulnerability presents a moderate severity level. The exploit requires only authenticated access to the WordPress admin area and the edit_others_donations capability, which is commonly granted to site administrators or privileged contributors. Because the EPSS score is not available and the issue is not listed in the CISA KEV catalog, the likelihood of out‑of‑band exploitation appears limited; however, an attacker who has legitimate credentials can exploit the injection to read database tables. The risk is mitigated by restricting the capability to a minimal set of trusted users and by applying the vendor’s recommended patch as soon as a newer release is available.

Generated by OpenCVE AI on May 13, 2026 at 05:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Charitable plugin to a version newer than 1.8.10.4
  • Back up the WordPress database and files prior to upgrading
  • Restrict the edit_others_donations capability to trusted administrators only

Generated by OpenCVE AI on May 13, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Smub
Smub charitable – Donation Plugin For Wordpress – Fundraising With Recurring Donations & More
Wordpress
Wordpress wordpress
Vendors & Products Smub
Smub charitable – Donation Plugin For Wordpress – Fundraising With Recurring Donations & More
Wordpress
Wordpress wordpress

Wed, 13 May 2026 04:45:00 +0000

Type Values Removed Values Added
Description The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 1.8.10.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with access to the donation management admin area (requiring the edit_others_donations capability) and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Charitable <= 1.8.10.4 - Authenticated (Custom+) SQL Injection via 's' Search Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Smub Charitable – Donation Plugin For Wordpress – Fundraising With Recurring Donations & More
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-13T10:22:39.226Z

Reserved: 2026-05-01T13:19:14.129Z

Link: CVE-2026-7619

cve-icon Vulnrichment

Updated: 2026-05-13T10:18:58.098Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T05:16:24.603

Modified: 2026-05-13T14:43:46.717

Link: CVE-2026-7619

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T05:30:15Z

Weaknesses