Home

Description

The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 1.8.9.7. This is due to missing cryptographic verification of incoming Stripe webhook events. This makes it possible for unauthenticated attackers to forge payment_intent.succeeded webhook payloads and mark pending donations as completed without a real payment.

PUBLISHED Reserved 2026-02-25 | Published 2026-04-07 | Updated 2026-04-08 | Assigner Wordfence




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-345 Insufficient Verification of Data Authenticity

Product status

Default status
unaffected

Any version
affected

Timeline

2026-02-25:Vendor Notified
2026-04-06:Disclosed

Credits

Andrés Cruciani finder

References

www.wordfence.com/...-7b57-4884-99c5-e37dbd4a9600?source=cve

plugins.trac.wordpress.org/changeset/3485023/charitable

cve.org (CVE-2026-3177)

nvd.nist.gov (CVE-2026-3177)

Download JSON