CVE-2026-4650

Name of the Vulnerable Software and Affected Versions FundPress versions prior to 2.0.9

Description An authorization bypass exists in the FundPress WordPress Donation Plugin. The donate action status() AJAX handler, accessible to unauthenticated users via wp ajax nopriv, fails to verify user capabilities, nonce tokens, or donation ownership. It only validates that the schema parameter equals 'donate-ajax' and that required POST parameters are present. Consequently, unauthenticated attackers can modify the status of any donation by providing its sequential integer ID, allowing them to mark donations as completed, pending, cancelled, or any arbitrary status, which may trigger email notifications and other side effects.

Recommendations Update the plugin to a version later than 2.0.8. As a temporary workaround, restrict access to the donate action status() function to minimize the risk of exploitation.