The vulnerability identified as CVE-2025-10186 affects the WhyDonate – FREE Donate button – Crowdfunding – Fundraising WordPress plugin developed by jjlemstra. This plugin is widely used to facilitate donations and crowdfunding on WordPress sites. The root cause of the vulnerability is a missing authorization check (CWE-862) in the remove_row function, which is responsible for deleting entries from the wp_wdplugin_style database table. Because the function lacks proper capability verification, unauthenticated attackers can invoke it remotely without any credentials or user interaction, allowing them to delete rows from the plugin's database table. This deletion can disrupt the plugin's styling or configuration data, potentially impairing its functionality or causing data loss. The vulnerability affects all versions up to and including 4.0.14. The CVSS v3.1 base score is 5.3, reflecting a medium severity level, with the vector indicating network attack vector, low attack complexity, no privileges required, and no user interaction needed. There are no known exploits in the wild at the time of publication, and no patches have been linked yet. The vulnerability is significant because it compromises data integrity by enabling unauthorized deletion, which could affect site appearance or fundraising operations. Since the plugin is used globally on WordPress sites, the vulnerability has a broad potential impact. The lack of authentication requirement makes exploitation relatively easy for attackers scanning for vulnerable sites.

The primary impact of this vulnerability is unauthorized modification of data integrity within the WhyDonate plugin's database table. Attackers can delete rows from the wp_wdplugin_style table, which may result in loss of styling or configuration data critical to the plugin's operation. This could degrade the user experience on affected websites, disrupt fundraising campaigns, or cause administrative overhead to restore lost data. Although the vulnerability does not directly affect confidentiality or availability, the integrity loss can indirectly impact availability if the plugin malfunctions or if site administrators disable it to mitigate damage. Organizations relying on this plugin for donation processing or crowdfunding may face operational disruptions and reputational damage if attackers exploit this flaw. The ease of exploitation without authentication increases the risk of automated attacks targeting vulnerable WordPress sites globally. Given the widespread use of WordPress and the plugin's niche functionality, the impact is moderate but significant for affected organizations.

Since no official patch is currently linked, organizations should implement immediate mitigations to reduce risk. First, restrict access to the vulnerable remove_row function by applying web application firewall (WAF) rules that block unauthenticated requests targeting the plugin's endpoints or parameters associated with row deletion. Second, limit public exposure of the WordPress admin-ajax.php or other AJAX endpoints used by the plugin through IP whitelisting or authentication enforcement. Third, monitor logs for suspicious requests attempting to invoke remove_row or delete data from the wp_wdplugin_style table. Fourth, consider temporarily disabling or uninstalling the WhyDonate plugin if it is not critical to operations until a patch is released. Fifth, maintain regular backups of the WordPress database to enable recovery from unauthorized deletions. Finally, stay alert for official patches or updates from the plugin developer and apply them promptly once available.