{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3177", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-25T00:09:57.727Z", "datePublished": "2026-04-07T07:40:13.519Z", "dateUpdated": "2026-04-08T17:18:40.687Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:40.687Z"}, "affected": [{"vendor": "smub", "product": "Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations & More", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.8.9.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 1.8.9.7. This is due to missing cryptographic verification of incoming Stripe webhook events. This makes it possible for unauthenticated attackers to forge payment_intent.succeeded webhook payloads and mark pending donations as completed without a real payment."}], "title": "Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations & More <= 1.8.9.7 - Insufficient Verification of Data Authenticity to Unauthenticated Donation Status Forgery via Stripe Webhook", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bc3b2645-7b57-4884-99c5-e37dbd4a9600?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3485023/charitable"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-345 Insufficient Verification of Data Authenticity", "cweId": "CWE-345", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Andr\u00e9s Cruciani"}], "timeline": [{"time": "2026-02-25T00:25:08.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-06T18:46:47.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T13:19:16.985212Z", "id": "CVE-2026-3177", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T13:19:24.638Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3177", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T13:19:16.985212Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T13:19:20.948Z"}}], "cna": {"title": "Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations & More <= 1.8.9.7 - Insufficient Verification of Data Authenticity to Unauthenticated Donation Status Forgery via Stripe Webhook", "credits": [{"lang": "en", "type": "finder", "value": "Andr\u00e9s Cruciani"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "smub", "product": "Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations & More", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.8.9.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-25T00:25:08.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-06T18:46:47.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bc3b2645-7b57-4884-99c5-e37dbd4a9600?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3485023/charitable"}], "descriptions": [{"lang": "en", "value": "The Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 1.8.9.7. This is due to missing cryptographic verification of incoming Stripe webhook events. This makes it possible for unauthenticated attackers to forge payment_intent.succeeded webhook payloads and mark pending donations as completed without a real payment."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-345", "description": "CWE-345 Insufficient Verification of Data Authenticity"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-07T07:40:13.519Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3177", "state": "PUBLISHED", "dateUpdated": "2026-04-07T13:19:24.638Z", "dateReserved": "2026-02-25T00:09:57.727Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-07T07:40:13.519Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 1.8.9.7. This is due to missing cryptographic verification of incoming Stripe webhook events. This makes it possible for unauthenticated attackers to forge payment_intent.succeeded webhook payloads and mark pending donations as completed without a real payment."}], "id": "CVE-2026-3177", "lastModified": "2026-04-07T13:20:11.643", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-07T08:16:11.090", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3485023/charitable"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bc3b2645-7b57-4884-99c5-e37dbd4a9600?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.9.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations & More", "source": "cna", "vendor": "smub"}, "product": "charitable_\u2013_donation_plugin_for_wordpress_\u2013_fundraising_with_recurring_donations_&_more", "vendor": "smub"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-07T09:51:34.895163+00:00", "value": {"mitigation_remediation": ["Upgrade Charitable to a version newer than 1.8.9.7 that validates Stripe webhook signatures.", "If an upgrade is unavailable, configure the webhook endpoint to require and verify a valid Stripe signature header, rejecting any request that lacks it.", "Consider restricting access to the webhook URL to only Stripe IP ranges or adding an additional secret token to further mitigate unauthorized requests."], "summary": {"action": "Patch", "impact": "Unauthorized donation status manipulation"}, "threat_synthesis": {"affected_systems": "The WordPress component Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations & More, supplied by smub, is affected in all releases up to and including version 1.8.9.7. Any WordPress site that installs this version and accepts Stripe webhook traffic is vulnerable.", "description_and_impact": "This flaw arises from the missing cryptographic verification of Stripe webhook events. An attacker can forge a payment_intent.succeeded payload, causing the plugin to mark a pending donation as completed even when no payment has occurred. This misleads site owners and donors into believing a donation was processed and may trigger thank\u2011you messages or allocation of resources based on a nonexistent contribution. The weakness is a case of insufficient data authenticity verification.", "risk_and_exploitability": "The CVSS base score of 5.3 indicates moderate severity. EPSS information is not available and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no publicly known exploitation yet. The likely attack vector is an unauthenticated attacker sending a forged Stripe webhook to the plugin\u2019s endpoint. Once the webhook is accepted, the attacker can alter donation records, potentially defrauding donors or masking fraudulent activity."}}}}, "created": "2026-04-07T09:36:18.065195+00:00", "updated": "2026-04-08T19:49:57.796317+00:00", "vendors": ["smub", "smub$PRODUCT$charitable_\u2013_donation_plugin_for_wordpress_\u2013_fundraising_with_recurring_donations_&_more", "wordpress", "wordpress$PRODUCT$wordpress"]}