CVE-2024-37510
📋 TL;DR
This CVE describes a missing authorization vulnerability in the Charitable WordPress plugin that allows attackers to access functionality not properly constrained by access control lists. It affects all WordPress sites running Charitable plugin versions up to 1.8.1.7, potentially allowing unauthorized users to perform actions reserved for administrators or other privileged roles.
💻 Affected Systems
- Charitable - Donation Plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could manipulate donation data, modify fundraising campaigns, access donor information, or perform administrative actions without proper authorization, potentially leading to data breach or financial fraud.
Likely Case
Unauthorized users accessing donation management functions, viewing donor data they shouldn't have access to, or modifying fundraising settings.
If Mitigated
Proper access controls would prevent unauthorized access, limiting functionality to only authorized users as intended.
🎯 Exploit Status
Exploitation requires some level of access to the WordPress site but not necessarily administrative privileges. The vulnerability is in access control logic, making exploitation straightforward once identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.1.8 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Charitable plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.8.1.8+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the Charitable plugin until patched to prevent exploitation
wp plugin deactivate charitable
Web Application Firewall Rules
allImplement WAF rules to block suspicious access to Charitable plugin endpoints
🧯 If You Can't Patch
- Implement strict network segmentation to isolate WordPress installation
- Add additional authentication/authorization layer in front of WordPress admin area
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Charitable → Version number. If version is 1.8.1.7 or earlier, system is vulnerable.Check Version:
wp plugin get charitable --field=versionVerify Fix Applied:
Verify Charitable plugin version is 1.8.1.8 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /wp-admin/admin-ajax.php with charitable-related actions
- Unusual user role accessing Charitable plugin endpoints
- Failed authorization logs for Charitable functions
Network Indicators:
- HTTP requests to Charitable-specific endpoints from unauthorized IPs/users
- Unusual pattern of AJAX requests to charitable endpoints
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php") AND (action="charitable_*") AND (user_role!="administrator")