CVE-2025-10186: CWE-862 Missing Authorization in jjlemstra WhyDonate – FREE Donate button – Crowdfunding – Fundraising
The WhyDonate – FREE Donate button – Crowdfunding – Fundraising plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the remove_row function in all versions up to, and including, 4.0.15. This makes it possible for unauthenticated attackers to delete rows from the wp_wdplugin_style table.
AI Analysis
Technical Summary
CVE-2025-10186 is a missing authorization vulnerability in the WhyDonate – FREE Donate button – Crowdfunding – Fundraising WordPress plugin by jjlemstra. The vulnerability arises because the remove_row function does not perform capability checks, enabling unauthenticated attackers to delete rows from the wp_wdplugin_style table. This can lead to unauthorized data loss. The issue affects all versions up to and including 4.0.15. The CVSS 3.1 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality or availability impact, but integrity impact is low.
Potential Impact
An attacker without authentication can delete data rows from the plugin's wp_wdplugin_style table, resulting in unauthorized data loss. There is no reported impact on confidentiality or availability. The integrity of the plugin's stored style data is compromised, which may affect plugin functionality or appearance.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the WordPress installation and monitor for suspicious activity related to the WhyDonate plugin. Avoid using affected versions and consider disabling the plugin if possible.
CVE-2025-10186: CWE-862 Missing Authorization in jjlemstra WhyDonate – FREE Donate button – Crowdfunding – Fundraising
Description
The WhyDonate – FREE Donate button – Crowdfunding – Fundraising plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the remove_row function in all versions up to, and including, 4.0.15. This makes it possible for unauthenticated attackers to delete rows from the wp_wdplugin_style table.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-10186 is a missing authorization vulnerability in the WhyDonate – FREE Donate button – Crowdfunding – Fundraising WordPress plugin by jjlemstra. The vulnerability arises because the remove_row function does not perform capability checks, enabling unauthenticated attackers to delete rows from the wp_wdplugin_style table. This can lead to unauthorized data loss. The issue affects all versions up to and including 4.0.15. The CVSS 3.1 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality or availability impact, but integrity impact is low.
Potential Impact
An attacker without authentication can delete data rows from the plugin's wp_wdplugin_style table, resulting in unauthorized data loss. There is no reported impact on confidentiality or availability. The integrity of the plugin's stored style data is compromised, which may affect plugin functionality or appearance.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the WordPress installation and monitor for suspicious activity related to the WhyDonate plugin. Avoid using affected versions and consider disabling the plugin if possible.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-09-09T15:17:41.637Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68ef5c7cc4f69c9730e56967
Added to database: 10/15/2025, 8:34:04 AM
Last enriched: 4/9/2026, 3:46:03 PM
Last updated: 5/12/2026, 3:54:36 AM
Views: 84
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.