The FundPress WordPress Donation Plugin versions up to 2.0.8 contain an authorization bypass vulnerability (CWE-862) in the donate_action_status() AJAX handler, which is accessible to unauthenticated users via wp_ajax_nopriv. The handler validates only that the schema parameter equals 'donate-ajax' and that required POST parameters are present but fails to verify user permissions, nonce tokens, or ownership of the donation being modified. This allows unauthenticated attackers to change the status of any donation by providing its ID, which is easily enumerable due to sequential integers. The vulnerability can lead to unauthorized modification of donation statuses such as completed, pending, or cancelled, potentially causing unintended side effects like triggering email notifications.

This vulnerability allows unauthenticated attackers to modify the status of any donation in the FundPress plugin by exploiting missing authorization checks. While it does not disclose sensitive data or cause denial of service, it can lead to integrity issues by altering donation records and may trigger unintended email notifications or related processes. The CVSS score is 5.3 (medium severity), reflecting the impact on data integrity without confidentiality or availability impact.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are provided at this time. Until a patch is available, administrators should consider disabling or restricting access to the vulnerable AJAX handler if possible, or applying custom access controls to prevent unauthenticated modification of donation statuses. Monitor vendor communications for updates and apply official patches promptly once released.