Privilege Escalation in Donation Forms by Charitable Plugin for WordPress
CVE-2023-4404

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Donation Forms By Charitable – Donations Plugin & Fundraising Platform For WordPress
Vendor: CVE Published:; 23 August 2023

What is CVE-2023-4404?

The Donation Forms by Charitable plugin for WordPress permits unauthenticated attackers to escalate privileges by manipulating the 'role' parameter during user registration. This flaw stems from inadequate restrictions in the 'update_core_user' function, allowing attackers to dictate their user role without proper authentication, thus posing serious security risks for affected sites.

Affected Version(s)

Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress * <= 1.7.0.12

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/charitable/tag...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 23, 2023
Vulnerability Reserved
Aug 17, 2023

Credit

Lana Codes