CVE-2025-10186 MEDIUM

CVE-2025-10186: WhyDonate – FREE Donate button – Crowdfunding – Fundraising <= 4.0.15 - Missing Authorization to Unauthenticated wp_wdplugin_style Rww Deletion

Vendor Jjlemstra
Product WhyDonate – FREE Donate button – Crowdfunding – Fundraising
Weakness CWE-862 · Missing authorization
Published October 15, 2025
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The WhyDonate – FREE Donate button – Crowdfunding – Fundraising plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the remove_row function in all versions up to, and including, 4.0.15. This makes it possible for unauthenticated attackers to delete rows from the wp_wdplugin_style table.

Explanation of Vulnerability in Simple Terms

02Summary

The WhyDonate plugin for WordPress versions 4.0.15 and earlier lacks proper authorization checks, allowing unauthenticated attackers to modify data on the site. An attacker can exploit this vulnerability without needing to log in or interact with a user. The vulnerability affects the plugin's core functionality and could lead to unauthorized changes to donation settings or related content.

What an attacker can do

03Attacker Capabilities

Modify donation settings and related data without logging in.

Potential impact on your site

04Site Impact

Attackers can alter donation configurations, potentially disrupting fundraising campaigns or redirecting funds.

Conditions required to exploit

05Prerequisites

Network access to the WordPress site; no authentication or user interaction required.

Key dates

06Disclosure timeline

October 15, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE