The Charitable – Donation Plugin for WordPress suffers from an Insecure Direct Object Reference (IDOR) vulnerability (CWE-639) that leads to authorization bypass. The save_avatar() function calls wp_delete_attachment() on an attachment ID taken from the user's 'avatar' meta without verifying that the attachment belongs to the user. The Charitable_Data_Processor::process_picture() function returns the raw posted value when no file is uploaded, allowing an attacker to poison the 'avatar' user meta with an arbitrary attachment ID. Authenticated users with Subscriber-level privileges or higher can exploit this by first setting the 'avatar' meta to a target attachment ID and then uploading an avatar to trigger deletion of that attachment. This vulnerability affects versions up to and including 1.8.11.1. No patch or official remediation has been published as of the data provided.

An attacker with authenticated access at Subscriber level or above can delete arbitrary media attachments from the WordPress Media Library. This could result in loss of media content, potentially disrupting website functionality or content availability. The vulnerability does not impact confidentiality or availability of the system beyond the deletion of attachments, and does not allow privilege escalation or code execution. The CVSS score of 4.3 reflects a medium severity impact focused on integrity.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should consider restricting user roles that can upload avatars or modify user meta, or disable the avatar upload feature if feasible. Monitoring for unusual deletion activity may help detect exploitation attempts. Avoid granting Subscriber or higher privileges to untrusted users. Follow vendor channels for updates and apply patches promptly once available.