CVE-2026-1380 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Bitcoin Donate Button plugin for WordPress, affecting all versions up to and including 1.0. The root cause is the absence or improper implementation of nonce validation on the plugin's settings page, which is critical for verifying the legitimacy of requests modifying plugin configurations. Without this protection, an attacker can craft malicious web requests that, when executed by an authenticated administrator (via clicking a link or visiting a malicious page), alter sensitive plugin settings such as the Bitcoin donation address and display options. This manipulation can redirect donations to attacker-controlled wallets or change the plugin’s behavior to deceive site visitors. The vulnerability does not require authentication by the attacker but does require user interaction from an administrator, making it a targeted social engineering risk. The CVSS 3.1 score of 4.3 reflects a network attack vector with low complexity, no privileges required, but user interaction necessary, and limited impact on confidentiality and availability, with integrity impacted due to unauthorized changes. No patches or exploits have been reported yet, but the vulnerability is publicly disclosed and documented by Wordfence and the CVE database.

The primary impact of this vulnerability is the unauthorized modification of plugin settings, which can lead to redirection of cryptocurrency donations to attacker-controlled wallets, resulting in financial loss and reputational damage for affected organizations. Since the plugin is used to facilitate Bitcoin donations, organizations relying on it for fundraising or charitable contributions may experience direct monetary theft. Additionally, altered display configurations could mislead users, undermining trust in the website and its donation mechanisms. Although the vulnerability does not compromise system confidentiality or availability directly, the integrity of donation processes is compromised. The requirement for administrator interaction limits the attack scope but does not eliminate risk, especially in environments where administrators may be targeted via phishing or social engineering. Organizations with high volumes of cryptocurrency donations or those with less stringent administrative security practices are at greater risk.

Organizations should immediately implement strict administrative security policies, including educating administrators about the risks of clicking untrusted links and employing multi-factor authentication to reduce the risk of compromised accounts. Until an official patch is released, administrators should avoid interacting with suspicious links or emails that could trigger CSRF attacks. Implementing web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the plugin’s settings page can provide a temporary defense. Additionally, site owners can consider disabling or removing the Bitcoin Donate Button plugin if it is not essential or replacing it with alternative donation plugins that follow secure coding practices. Monitoring administrative activity logs for unauthorized changes to plugin settings can help detect exploitation attempts early. Finally, developers and maintainers should prioritize releasing a patch that correctly implements nonce validation and other CSRF protections.