CVE-2026-4650 | FundPress <= 2.0.8 - Missing Authorization to Unauthenticated Arbitrary Donation Status Modification via donate_action_status AJAX Handler

The FundPress – WordPress Donation Plugin for WordPress is vulnerable to authorization bypass in versions up to and including 2.0.8. This is due to missing authorization and nonce verification in the donate_action_status() AJAX handler, which is registered to be accessible to unauthenticated users via wp_ajax_nopriv. The function only validates that the schema parameter equals 'donate-ajax' and that the required POST parameters are present, but fails to verify user capabilities, nonce tokens, or donation ownership. This makes it possible for unauthenticated attackers to modify the status of any donation by providing its ID (which are sequential integers and easily enumerable), allowing them to mark donations as completed, pending, cancelled, or any arbitrary status, potentially triggering email notifications and related side effects.

Published: 2026-05-02 Last update: 2026-05-05 Assigner: [email protected] Source: [email protected]

NVD Status：Deferred，CVE State: published

View at NVD, CVE.org, EUVD

Conclusion & alert: CVE-2026-4650 is rated Low Risk (23.4/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.02%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2026-4650

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-05-02	—	0.02%	—

Full EPSS history (1 record total)

Common vulnerability scoring system (CVSS) metrics for CVE-2026-4650

CVSS metrics for this CVE.

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.3	3.1	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:N) Service keeps running; no real outage angle.	3.9	1.4	[email protected]

Weakness enumeration for CVE-2026-4650

CWE-862 MITRE ↗

GitHub Security Advisory for CVE-2026-4650

GHSA-59hp-h3hq-6gmv · Severity: medium — The FundPress – WordPress Donation Plugin for WordPress is vulnerable to authorization bypass in...

Affected software / configurations for CVE-2026-4650

Vendor	Product	Version	Raw CPE
No affected products in dataset.

References for CVE-2026-4650

URL	Tags
https://plugins.trac.wordpress.org/browser/fundpress/tags/2.0.8/inc/class-dn-ajax.php#L173
https://plugins.trac.wordpress.org/browser/fundpress/tags/2.0.8/inc/class-dn-ajax.php#L179
https://plugins.trac.wordpress.org/browser/fundpress/tags/2.0.8/inc/class-dn-donate.php#L189
https://plugins.trac.wordpress.org/browser/fundpress/tags/2.0.9/inc/class-dn-ajax.php#L179
https://plugins.trac.wordpress.org/browser/fundpress/trunk/inc/class-dn-ajax.php#L173
https://plugins.trac.wordpress.org/browser/fundpress/trunk/inc/class-dn-ajax.php#L179
https://plugins.trac.wordpress.org/browser/fundpress/trunk/inc/class-dn-donate.php#L189
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3502937%40fundpress&new=3502937%40fundpress&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/5db3c66f-0a9c-4233-923c-0965dec68c60?source=cve

cvelogic Threat Intelligence