CVE-2025-49899 is a vulnerability identified in the Whydonate WordPress plugin, specifically versions up to and including 4.0.15. The root cause is missing authorization checks on certain plugin functionalities, meaning that Access Control Lists (ACLs) are not properly enforced. This allows unauthenticated remote attackers to invoke functions that should be restricted, potentially exposing sensitive donation-related operations or data. The vulnerability is exploitable over the network without requiring any privileges or user interaction, increasing its risk profile. The CVSS v3.1 base score of 5.3 reflects a medium severity, with the impact limited to confidentiality loss; integrity and availability remain unaffected. No known exploits have been reported in the wild, and no official patches or updates have been released at the time of disclosure. The vulnerability was reserved in June 2025 and published in October 2025. Whydonate is a plugin used by organizations to manage donations on WordPress sites, and this flaw could allow attackers to access or manipulate donation-related functionality or data that should be protected. The lack of authorization checks is a common security oversight that can lead to unauthorized data exposure or unauthorized actions within the affected system. Organizations relying on Whydonate should prioritize identifying affected instances and apply mitigations to prevent exploitation until a vendor patch is available.

For European organizations, especially nonprofits and charities that rely on Whydonate to manage online donations, this vulnerability could lead to unauthorized access to sensitive donor information or donation processing functions. Although the vulnerability does not affect data integrity or system availability, unauthorized access to confidential information can damage organizational reputation, violate data protection regulations such as GDPR, and potentially lead to financial fraud or donor trust erosion. Since exploitation requires no authentication or user interaction, attackers can remotely probe and exploit vulnerable sites at scale, increasing the risk of widespread data exposure. The impact is particularly relevant for organizations with high volumes of donations or sensitive donor data. Additionally, the exposure of donation-related functionality could be leveraged for further attacks or social engineering campaigns targeting donors or staff. The lack of known exploits currently reduces immediate risk, but the medium severity and ease of exploitation warrant proactive mitigation to prevent future exploitation.

1. Immediately audit all WordPress installations for the presence of the Whydonate plugin and verify the version; prioritize upgrades once a patch is released. 2. Until an official patch is available, implement web application firewall (WAF) rules to restrict access to Whydonate plugin endpoints, allowing only trusted IP addresses or authenticated users where possible. 3. Review and tighten WordPress user roles and permissions to ensure minimal access to donation management functions. 4. Monitor web server and application logs for unusual or unauthorized access attempts targeting Whydonate plugin URLs or functions. 5. Consider temporarily disabling the Whydonate plugin if it is not critical to operations or if compensating controls cannot be effectively applied. 6. Educate IT and security teams about this vulnerability to ensure rapid response once patches are released. 7. Engage with the plugin vendor or community to track patch availability and apply updates promptly. 8. Conduct regular security assessments and penetration tests focusing on WordPress plugins and their access controls to detect similar issues proactively.