CVE-2025-10186 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the WhyDonate – FREE Donate button – Crowdfunding – Fundraising plugin for WordPress, developed by jjlemstra. The flaw exists in the remove_row function, which lacks proper capability checks, allowing unauthenticated attackers to delete entries from the wp_wdplugin_style database table. This vulnerability affects all versions up to and including 4.0.14. The absence of authorization checks means that any remote attacker can invoke this function without credentials or user interaction, leading to unauthorized modification of plugin data. The vulnerability has a CVSS 3.1 base score of 5.3, indicating a medium severity level. The impact is limited to integrity loss, as attackers can delete data rows but cannot access confidential information or disrupt service availability. No patches or fixes have been published at the time of disclosure, and no known exploits have been observed in the wild. The vulnerability poses a risk primarily to WordPress sites using this plugin for crowdfunding or fundraising purposes, where data integrity is critical for operational trust and donor confidence.

For European organizations, the primary impact of this vulnerability is the unauthorized deletion of data within the WhyDonate plugin's database table, which could disrupt fundraising operations and damage donor trust. Although it does not expose sensitive information or cause denial of service, the integrity loss could lead to inaccurate fundraising records, financial discrepancies, and potential reputational harm. Organizations relying on this plugin for donation processing or campaign management may experience operational disruptions if attackers exploit this flaw. Given the unauthenticated nature of the vulnerability, attackers can easily target vulnerable sites, increasing the risk of widespread data manipulation. This is particularly concerning for non-profits, charities, and crowdfunding platforms in Europe that depend on accurate and reliable donation data. The lack of available patches means organizations must implement interim controls to mitigate risk until an official fix is released.

1. Immediately audit WordPress sites to identify installations of the WhyDonate plugin, especially versions up to 4.0.14. 2. Disable or uninstall the WhyDonate plugin if it is not critical to operations until a patch is available. 3. For sites requiring the plugin, implement web application firewall (WAF) rules to block unauthorized requests targeting the remove_row function or related endpoints. 4. Restrict access to the WordPress admin and plugin endpoints using IP whitelisting or VPN access to reduce exposure. 5. If feasible, apply custom code patches to add capability checks to the remove_row function, ensuring only authorized users can perform deletions. 6. Monitor logs for suspicious requests attempting to invoke the vulnerable function and set up alerts for unusual database deletions. 7. Engage with the plugin vendor or community to track patch releases and apply updates promptly once available. 8. Educate site administrators about the risk and encourage regular backups of the WordPress database to enable recovery from unauthorized deletions.