CVE-2023-4404 CRITICAL

CVE-2023-4404: Donation Forms by Charitable <= 1.7.0.12 - Unauthenticated Privilege Escalation

Vendor Smub
Product Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More
Weakness CWE-269
Published August 23, 2023
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Donation Forms by Charitable plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.7.0.12 due to insufficient restriction on the 'update_core_user' function. This makes it possible for unauthenticated attackers to specify their user role by supplying the 'role' parameter during a registration.

Key dates

02Disclosure timeline

August 23, 2023 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-3422 Improper Privilege Management in tooljet/tooljet CVE-2024-52516 Nextcloud Server's shares are not removed when user is limited to share with in their groups and being removed from one of them CVE-2026-40002 ZTE Red Magic 11 Pro (NX809J) contains a vulnerability that allows non-privileged applications to trigger sensitive operations. CVE-2024-32003 Dusk plugin may allow unfettered user authentication in misconfigured installs CVE-2025-53942 authentik has an insufficient check for account active status during OAuth/SAML authentication