Insecure Direct Object Reference in Charitable Donation Plugin for WordPress
CVE-2026-10038

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Charitable – Donation Plugin For WordPress – Fundraising With Recurring Donations & More
Vendor: CVE Published:; 5 June 2026

What is CVE-2026-10038?

The Charitable – Donation Plugin for WordPress is susceptible to an insecure direct object reference and authorization bypass, which allows users with subscriber-level access and above to delete arbitrary attachments from the Media Library. This exploit stems from the mismanagement of the 'avatar' user meta data while updating profile avatars. Specifically, the 'save_avatar()' function fails to validate ownership of the attachment ID read from user meta. Attackers can exploit this flaw by first poisoning the avatar metadata with a targeted attachment ID and subsequently triggering the deletion via a normal avatar upload process. This vulnerability highlights critical security lapses in how user permissions and media access are handled.

Affected Version(s)

Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More 0 <= 1.8.11.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/charitable/tag...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 5, 2026
Vulnerability Reserved
May 28, 2026

Credit

Khanh Nguyen

CVE-2026-10038 Data

JSON