CVE-2025-64636 in Donation Thermometer Plugin
Summary
by MITRE • 06/26/2026
Unauthenticated Broken Access Control in Donation Thermometer <= 2.2.7 versions.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/26/2026
This vulnerability represents a critical broken access control flaw that affects the Donation Thermometer plugin for WordPress systems. The issue stems from insufficient authentication checks within the plugin's administrative interfaces, allowing unauthorized users to manipulate donation tracking mechanisms and potentially access sensitive donor information. The vulnerability exists in versions prior to 2.2.7, indicating that the developers identified and patched this specific weakness in their subsequent releases.
The technical implementation of this flaw typically involves missing or inadequate user authentication routines within the plugin's core functions. Attackers can exploit this by directly accessing administrative endpoints without proper credentials, potentially gaining access to donation records, donor personal information, and configuration settings. This represents a classic cwe-284 access control weakness where insufficient authorization checks allow unauthorized actors to perform privileged operations. The vulnerability enables attackers to manipulate the donation thermometer display values, potentially inflating donation totals or accessing restricted administrative functionalities.
The operational impact of this vulnerability extends beyond simple data exposure, as it can lead to financial manipulation and potential fraud. An attacker could alter donation amounts displayed on public pages, creating false impressions about fundraising progress while simultaneously gaining access to donor databases that may contain personally identifiable information. This creates significant risk for organizations relying on the plugin for charitable giving platforms where donor privacy and accurate reporting are paramount. The vulnerability aligns with attack techniques described in the attack framework under privilege escalation and data manipulation categories.
Organizations should immediately upgrade to version 2.2.7 or later to remediate this vulnerability, as the patch typically includes proper authentication checks and authorization controls within the plugin's administrative functions. System administrators should also implement network segmentation to limit access to administrative interfaces and monitor for unauthorized access attempts. Additional mitigations include implementing web application firewalls to detect and block suspicious requests targeting the vulnerable endpoints, along with regular security audits of installed plugins to identify similar access control weaknesses. The vulnerability demonstrates the importance of proper authentication implementation as outlined in owasp top ten category a05 and aligns with nist cybersecurity framework core functions of protect and detect.