CVE-2022-0782

Name of the Vulnerable Software and Affected Versions Donations WordPress plugin versions prior to 1.8

Description The issue arises from the lack of sanitization and escaping of the nd donations id parameter in SQL statements. This occurs via the /wp-admin/admin-ajax.php AJAX action, specifically through the nd donations single cause form validate fields php function function, which is accessible to unauthenticated users. This leads to an unauthenticated SQL Injection.

Recommendations For Donations WordPress plugin versions prior to 1.8, update to version 1.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the nd donations single cause form validate fields php function AJAX action to authenticated users only, until a patch is available. Avoid using the nd donations id parameter in the affected AJAX endpoint until the issue is resolved.