CVE-2026-1380 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the lxicon Bitcoin Donate Button plugin for WordPress, affecting all versions up to and including 1.0. The root cause is the absence or improper implementation of nonce validation on the plugin's settings page, which is intended to protect against unauthorized state-changing requests. This security lapse allows an unauthenticated attacker to craft a malicious request that, if executed by a site administrator (for example, by clicking a specially crafted link), can alter critical plugin settings. These settings include donation Bitcoin addresses and display options, potentially redirecting donations to attacker-controlled wallets or changing the plugin's behavior. The vulnerability does not require the attacker to be authenticated but does require user interaction by an administrator, limiting the attack vector to social engineering or phishing techniques. The CVSS v3.1 base score is 4.3 (medium), reflecting the ease of exploitation (low complexity, no privileges required) but limited impact scope (integrity only, no confidentiality or availability impact). No patches or known exploits are currently reported, but the risk remains significant for sites relying on this plugin for donation processing. The vulnerability highlights the importance of nonce validation in WordPress plugins to prevent CSRF attacks that can silently alter site configurations.

For European organizations, the primary impact of this vulnerability lies in the integrity of donation processing on WordPress sites using the lxicon Bitcoin Donate Button plugin. Attackers could redirect cryptocurrency donations to their own wallets, resulting in financial losses and reputational damage, especially for non-profits, charities, or community projects relying on donations. While the vulnerability does not compromise user data confidentiality or site availability, the unauthorized modification of donation addresses undermines trust and could lead to donor confusion or loss of funds. Organizations with public-facing donation portals are particularly at risk. The requirement for administrator interaction means that targeted phishing campaigns could be used to exploit this vulnerability, emphasizing the need for user awareness and technical controls. Given the widespread use of WordPress in Europe and the growing adoption of cryptocurrency donations, this vulnerability could affect a broad range of organizations, from small NGOs to larger enterprises with donation functionalities.

Since no official patch is currently available, European organizations should implement immediate mitigations to reduce risk. These include disabling or uninstalling the lxicon Bitcoin Donate Button plugin until a secure version is released. Alternatively, restrict administrative access to trusted IP addresses and enforce multi-factor authentication (MFA) for all WordPress administrators to reduce the likelihood of successful phishing. Educate administrators about the risk of clicking unsolicited links and implement email filtering to block phishing attempts. Additionally, organizations can implement Web Application Firewall (WAF) rules to detect and block suspicious POST requests to the plugin's settings page that lack valid nonces. Monitoring changes to plugin settings and donation addresses can provide early detection of exploitation attempts. Finally, once a patched version is released, promptly apply updates and verify nonce validation is correctly implemented.