Insufficient Data Verification in Charitable Donation Plugin for WordPress
CVE-2026-3177

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Charitable – Donation Plugin For WordPress – Fundraising With Recurring Donations & More
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-3177?

The Charitable Donation Plugin for WordPress is vulnerable due to inadequate cryptographic verification of incoming Stripe webhook events. This flaw allows unauthenticated attackers to fabricate webhook payloads, specifically 'payment_intent.succeeded', enabling them to mark pending donations as completed without any legitimate payment being processed. Users of versions up to and including 1.8.9.7 must take immediate action to secure their installations and ensure proper payment processing.

Affected Version(s)

Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More 0 <= 1.8.9.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3485023/char...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Feb 25, 2026

Credit

Andrés Cruciani

CVE-2026-3177 Data

JSON