{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10186", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-09T15:17:41.637Z", "datePublished": "2025-10-15T08:25:53.665Z", "dateUpdated": "2026-04-08T16:47:25.746Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:25.746Z"}, "affected": [{"vendor": "jjlemstra", "product": "WhyDonate \u2013 FREE Donate button \u2013 Crowdfunding \u2013 Fundraising", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.0.15", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WhyDonate \u2013 FREE Donate button \u2013 Crowdfunding \u2013 Fundraising plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the remove_row function in all versions up to, and including, 4.0.15. This makes it possible for unauthenticated attackers to delete rows from the wp_wdplugin_style table."}], "title": "WhyDonate \u2013 FREE Donate button \u2013 Crowdfunding \u2013 Fundraising <= 4.0.15 - Missing Authorization to Unauthenticated wp_wdplugin_style Rww Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3c6f30bb-dec0-4776-b255-bb88c9d003c2?source=cve"}, {"url": "https://wordpress.org/plugins/wp-whydonate/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3378787%40wp-whydonate&new=3378787%40wp-whydonate&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-10-14T19:46:25.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-15T19:43:51.205271Z", "id": "CVE-2025-10186", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T19:44:08.368Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10186", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-15T19:43:51.205271Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T19:44:01.669Z"}}], "cna": {"title": "WhyDonate \u2013 FREE Donate button \u2013 Crowdfunding \u2013 Fundraising <= 4.0.14 - Missing Authorization to Unauthenticated wp_wdplugin_style Rww Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "jjlemstra", "product": "WhyDonate \u2013 FREE Donate button \u2013 Crowdfunding \u2013 Fundraising", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.0.14"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-14T19:46:25.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3c6f30bb-dec0-4776-b255-bb88c9d003c2?source=cve"}, {"url": "https://wordpress.org/plugins/wp-whydonate/"}], "descriptions": [{"lang": "en", "value": "The WhyDonate \u2013 FREE Donate button \u2013 Crowdfunding \u2013 Fundraising plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the remove_row function in all versions up to, and including, 4.0.14. This makes it possible for unauthenticated attackers to delete rows from the wp_wdplugin_style table."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-15T08:25:53.665Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10186", "state": "PUBLISHED", "dateUpdated": "2025-10-15T19:44:08.368Z", "dateReserved": "2025-09-09T15:17:41.637Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-15T08:25:53.665Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WhyDonate \u2013 FREE Donate button \u2013 Crowdfunding \u2013 Fundraising plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the remove_row function in all versions up to, and including, 4.0.15. This makes it possible for unauthenticated attackers to delete rows from the wp_wdplugin_style table."}], "id": "CVE-2025-10186", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-15T09:15:38.467", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3378787%40wp-whydonate&new=3378787%40wp-whydonate&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/wp-whydonate/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3c6f30bb-dec0-4776-b255-bb88c9d003c2?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T13:08:14.802691+00:00", "value": {"mitigation_remediation": ["Upgrade the WhyDonate plugin to the latest release that includes the authorization fix.", "Apply a temporary capability check or disable the remove_row endpoint so that only administrator users can invoke it.", "Deactivate or uninstall the plugin if it is not required until the patch is applied."], "summary": {"action": "Apply Update", "impact": "Unauthorized deletion of plugin data"}, "threat_synthesis": {"affected_systems": "This weakness affects the WhyDonate \u2013 FREE Donate button \u2013 Crowdfunding \u2013 Fundraising plugin published by jjlemstra. All releases through and including version 4.0.15 are vulnerable. WordPress sites that have any of these versions installed are at risk. More recent releases beyond 4.0.15 are presumed fixed.", "description_and_impact": "The WhyDonate WordPress plugin is vulnerable because it lacks a capability check when executing the remove_row function. This omission allows an unauthenticated attacker to send requests that delete rows from the plugin\u2019s database table wp_wdplugin_style, which stores campaign style data. The result is a loss or alteration of campaign presentation settings, potentially disrupting fundraising pages and erasing configured styles. The weakness is classified as a missing authorization flaw (CWE\u2011862).", "risk_and_exploitability": "The CVSS base score is 5.3, indicating a moderate severity. The EPSS score of less than 1% indicates that, at the time of reporting, exploitation is considered unlikely, possibly because the attack requires unauthenticated HTTP requests to a non\u2011public endpoint. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw by directly calling the remove_row endpoint via an unauthenticated request, provided the website has the plugin active. Therefore, while the risk is moderate, exploitation is limited to sites that have not applied the recent patch."}}}}, "created": "2025-10-21T09:41:11.306226+00:00", "updated": "2026-04-22T13:15:17.845540+00:00", "vendors": ["whydonate", "whydonate$PRODUCT$wp_whydonate", "wordpress", "wordpress$PRODUCT$wordpress"]}