CVE-2026-10038
Summary
by MITRE • 06/06/2026
The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insecure Direct Object Reference / Authorization Bypass leading to Arbitrary Attachment Deletion in versions up to, and including, 1.8.11.1 via the profile avatar update flow. This is due to the save_avatar() function in Charitable_Profile_Form calling wp_delete_attachment() on an attachment ID read from the user's 'avatar' meta without validating that the attachment is owned by the user, combined with Charitable_Data_Processor::process_picture() returning the raw posted value when no file is uploaded, allowing the 'avatar' user meta to be poisoned with any attacker-chosen attachment ID. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary attachments from the Media Library by performing a two-request chain (first poisoning the stored avatar meta value with a target attachment ID, then triggering deletion via a normal avatar upload).
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/06/2026
The vulnerability in the Charitable WordPress plugin represents a critical authorization bypass flaw that enables authenticated attackers to perform arbitrary attachment deletion within the media library. This issue stems from an insecure direct object reference vulnerability that allows attackers to manipulate object references without proper authorization checks. The vulnerability exists specifically within the profile avatar update functionality, where the save_avatar() function in Charitable_Profile_Form directly calls wp_delete_attachment() on an attachment ID retrieved from the user's 'avatar' meta field without verifying ownership. This flaw operates at the intersection of multiple security weaknesses including improper access control and insecure data handling practices that violate fundamental security principles.
The technical exploitation mechanism involves a two-step attack chain that demonstrates sophisticated privilege escalation capabilities. First, attackers poison the user's 'avatar' meta field with a malicious attachment ID through the Charitable_Data_Processor::process_picture() function, which returns raw posted values when no file is uploaded. This allows attackers to store arbitrary attachment IDs in the user meta field, effectively bypassing normal validation procedures. The second step triggers the actual deletion when the attacker performs a normal avatar upload operation, causing the system to delete the attachment referenced in the poisoned meta field rather than the legitimate user attachment. This pattern of exploitation aligns with common attack vectors described in the ATT&CK framework under privilege escalation and credential access techniques, specifically targeting the manipulation of user metadata to gain unauthorized access to system resources.
The operational impact of this vulnerability extends beyond simple data deletion, as it enables attackers to compromise the integrity of the media library and potentially disrupt core website functionality. Attackers with Subscriber-level access or higher can leverage this vulnerability to remove critical assets including images, documents, or other media files that may be essential to the site's operation or user experience. The vulnerability affects all versions up to and including 1.8.11.1, indicating a prolonged exposure window where numerous installations could be compromised. This authorization bypass represents a direct violation of the principle of least privilege and demonstrates poor input validation practices that have been documented in CWE entries related to insecure direct object references and improper authorization checks. The vulnerability's persistence across multiple versions suggests inadequate security review processes during the plugin's development lifecycle, potentially exposing thousands of WordPress installations to unauthorized access and data manipulation.
Mitigation strategies should focus on implementing proper input validation and authorization checks within the avatar update process. The plugin should validate that attachment IDs stored in user meta fields correspond to attachments owned by the authenticated user before permitting any deletion operations. Security measures should include mandatory attachment ownership verification, proper sanitization of user-provided data, and implementation of access control lists that prevent unauthorized manipulation of system resources. Additionally, the plugin should enforce proper validation of uploaded files and reject any attempts to store malicious attachment IDs in user meta fields. These remediations align with industry best practices outlined in the OWASP Top Ten and NIST cybersecurity frameworks, specifically addressing the need for proper access control mechanisms and input validation to prevent unauthorized system access. Regular security audits and vulnerability assessments should be implemented to identify similar patterns in other plugin components and ensure comprehensive protection against similar authorization bypass vulnerabilities.