{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39691", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:58:10.483Z", "datePublished": "2026-04-08T08:30:44.797Z", "dateUpdated": "2026-04-29T09:52:03.971Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "cryptocurrency-donation-box", "product": "Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations", "vendor": "AdAstraCrypto", "versions": [{"lessThanOrEqual": "2.2.13", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:43.645Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in AdAstraCrypto Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations cryptocurrency-donation-box allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations: from n/a through <= 2.2.13.</p>"}], "value": "Missing Authorization vulnerability in AdAstraCrypto Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations cryptocurrency-donation-box allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations: from n/a through <= 2.2.13."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:03.971Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/cryptocurrency-donation-box/vulnerability/wordpress-cryptocurrency-donation-box-bitcoin-crypto-donations-plugin-2-2-13-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations plugin <= 2.2.13 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T18:29:53.387605Z", "id": "CVE-2026-39691", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T19:23:11.971Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39691", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T18:29:53.387605Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T18:18:26.932Z"}}], "cna": {"title": "WordPress Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations plugin <= 2.2.13 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "AdAstraCrypto", "product": "Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.2.13"}], "packageName": "cryptocurrency-donation-box", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:43.645Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/cryptocurrency-donation-box/vulnerability/wordpress-cryptocurrency-donation-box-bitcoin-crypto-donations-plugin-2-2-13-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in AdAstraCrypto Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations cryptocurrency-donation-box allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations: from n/a through <= 2.2.13.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in AdAstraCrypto Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations cryptocurrency-donation-box allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations: from n/a through <= 2.2.13.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:44.797Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39691", "state": "PUBLISHED", "dateUpdated": "2026-04-13T19:23:11.971Z", "dateReserved": "2026-04-07T10:58:10.483Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:44.797Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in AdAstraCrypto Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations cryptocurrency-donation-box allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations: from n/a through <= 2.2.13."}], "id": "CVE-2026-39691", "lastModified": "2026-04-24T18:05:35.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:41.370", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/cryptocurrency-donation-box/vulnerability/wordpress-cryptocurrency-donation-box-bitcoin-crypto-donations-plugin-2-2-13-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.2.13]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations", "source": "cna", "vendor": "AdAstraCrypto"}, "product": "cryptocurrency_donation_box_\u2013_bitcoin_&_crypto_donations", "vendor": "adastracrypto"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-13T21:20:06.471169+00:00", "value": {"mitigation_remediation": ["Upgrade the Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations plugin to the latest available version (\u2265\u202f2.2.14).", "If an immediate upgrade is not feasible, temporarily disable the plugin until a patched version is applied.", "Review donation logs and configuration to detect any unauthorized changes and restore proper settings if necessary."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The issue affects the AdAstraCrypto Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations plugin for WordPress. All releases up to and including version 2.2.13 are vulnerable, meaning any site running one of those versions is at risk.", "description_and_impact": "This vulnerability is a missing authorization flaw in the Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations plugin. It enables an attacker to gain unauthorized access to the plugin\u2019s configuration and potentially tamper with donation settings. The flaw is categorized as CWE\u2011862 \u2013 Missing Authorization. Unauthorized manipulation could compromise the integrity of the donation process and may allow a malicious actor to redirect funds or alter the displayed donation options.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate impact, while the EPSS score of less than 1% suggests that exploitation is unlikely in the wild, and the vulnerability is not listed in the CISA KEV catalog. However, the attack vector is web\u2011based and requires the ability to send specially crafted HTTP requests to the WordPress site, which an attacker may achieve if they have any level of access to the web application or through phishing. Once accessed, an unprivileged user could modify donation settings without authentication."}}}}, "created": "2026-04-08T19:27:44.376597+00:00", "updated": "2026-04-14T16:38:30.503354+00:00", "vendors": ["adastracrypto", "adastracrypto$PRODUCT$cryptocurrency_donation_box_\u2013_bitcoin_&_crypto_donations", "wordpress", "wordpress$PRODUCT$wordpress"]}