CVE-2025-10186
📋 TL;DR
This vulnerability allows unauthenticated attackers to delete data from the WhyDonate WordPress plugin's database table. It affects all WordPress sites using WhyDonate plugin versions up to 4.0.14. The missing capability check enables unauthorized data deletion without requiring any authentication.
💻 Affected Systems
- WhyDonate – FREE Donate button – Crowdfunding – Fundraising WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could delete all donation styling configuration data, disrupting donation functionality and potentially causing fundraising campaigns to fail due to broken donation interfaces.
Likely Case
Attackers delete random or targeted rows from the styling table, causing visual inconsistencies in donation buttons and forms that require manual restoration.
If Mitigated
With proper web application firewalls and intrusion detection, attacks are blocked before reaching the vulnerable endpoint, preventing any data loss.
🎯 Exploit Status
Exploitation requires sending crafted HTTP requests to the vulnerable endpoint without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 4.0.15 or later
Vendor Advisory: https://wordpress.org/plugins/wp-whydonate/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WhyDonate plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download latest version from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock requests to the vulnerable remove_row endpoint
Block HTTP requests containing 'remove_row' parameter targeting WhyDonate plugin endpoints
Temporary Plugin Deactivation
WordPressDisable the plugin until patched
wp plugin deactivate wp-whydonate
🧯 If You Can't Patch
- Disable the WhyDonate plugin immediately
- Implement strict web application firewall rules blocking all unauthorized access to plugin endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → WhyDonate plugin version. If version is 4.0.14 or lower, you are vulnerable.Check Version:
wp plugin get wp-whydonate --field=versionVerify Fix Applied:
Verify plugin version is 4.0.15 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to WhyDonate endpoints containing 'remove_row' parameter
- Database DELETE operations on wp_wdplugin_style table from unauthenticated IPs
Network Indicators:
- Unusual HTTP POST requests to /wp-admin/admin-ajax.php with WhyDonate action parameters from external IPs
SIEM Query:
source="web_logs" AND (uri_path="*admin-ajax.php*" AND post_data="*remove_row*" AND post_data="*whydonate*")