CVE Catalog

CVE-2026-10038

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Summary

The Charitable – Donation Plugin for WordPress is vulnerable to Insecure Direct Object Reference, leading to arbitrary attachment deletion. This issue affects versions up to 1.8.11.1 and is due to a lack of validation of the attachment owner during the profile avatar update.

Risk Assessment

Authenticated attackers with Subscriber-level access and above can delete arbitrary attachments from the Media Library, potentially leading to data loss and system integrity breaches.

Recommendation

It is recommended to update the plugin to the latest version to mitigate this vulnerability and implement additional validation mechanisms during avatar updates.

Original NVD description (English source)

The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insecure Direct Object Reference / Authorization Bypass leading to Arbitrary Attachment Deletion in versions up to, and including, 1.8.11.1 via the profile avatar update flow. This is due to the save_avatar() function in Charitable_Profile_Form calling wp_delete_attachment() on an attachment ID read from the user's 'avatar' meta without validating that the attachment is owned by the user, combined with Charitable_Data_Processor::process_picture() returning the raw posted value when no file is uploaded, allowing the 'avatar' user meta to be poisoned with any attacker-chosen attachment ID. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary attachments from the Media Library by performing a two-request chain (first poisoning the stored avatar meta value with a target attachment ID, then triggering deletion via a normal avatar upload).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS