CVE-2026-10038: Charitable WordPress Plugin IDOR Arbitrary Attachment Deletion Vulnerability
The Charitable donation plugin for WordPress contains a flaw that allows authenticated users with basic subscriber permissions to delete any attachment from a site's Media Library. The vulnerability exploits a two-step process: attackers first poison the stored avatar metadata with a target attachment ID, then trigger normal avatar upload functionality to delete it. While this requires login access, the low privilege level needed and straightforward execution method make it a practical risk for any WordPress site running this plugin where subscriber-level registration is enabled.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-639
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-06 / 2026-06-17
NVD description (verbatim)
The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insecure Direct Object Reference / Authorization Bypass leading to Arbitrary Attachment Deletion in versions up to, and including, 1.8.11.1 via the profile avatar update flow. This is due to the save_avatar() function in Charitable_Profile_Form calling wp_delete_attachment() on an attachment ID read from the user's 'avatar' meta without validating that the attachment is owned by the user, combined with Charitable_Data_Processor::process_picture() returning the raw posted value when no file is uploaded, allowing the 'avatar' user meta to be poisoned with any attacker-chosen attachment ID. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary attachments from the Media Library by performing a two-request chain (first poisoning the stored avatar meta value with a target attachment ID, then triggering deletion via a normal avatar upload).
12 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10038 is an Insecure Direct Object Reference (IDOR) vulnerability combined with authorization bypass in the Charitable plugin's profile avatar update mechanism. The vulnerable code path flows through the save_avatar() function in the Charitable_Profile_Form class, which calls wp_delete_attachment() on an attachment ID sourced from the user's 'avatar' meta field without ownership validation. A second flaw in Charitable_Data_Processor::process_picture() returns raw posted values when no file is uploaded, allowing the avatar metadata to be directly manipulated. Authenticated attackers chain these issues by: (1) submitting a crafted request to poison the avatar meta with an arbitrary attachment ID via the process_picture() function, and (2) performing a legitimate avatar upload to trigger save_avatar(), which deletes the poisoned ID without checking ownership. The vulnerability affects versions up to and including 1.8.11.1.
Business impact
An attacker with subscriber access can systematically delete critical media assets from your WordPress Media Library—including images, documents, or files integral to published posts or pages. This can disrupt content delivery, break site functionality, or force time-consuming recovery from backups. In multi-user or community-driven sites, malicious insiders (or compromised accounts) pose a direct threat. The business impact is primarily data loss and operational disruption rather than data theft or site takeover, though it may be leveraged as part of a broader sabotage campaign.
Affected systems
The Charitable – Donation Plugin for WordPress is affected in versions up to and including 1.8.11.1. Any WordPress installation running this plugin with Subscriber-level user registration enabled is at risk. The vulnerability requires authentication, so sites restricted to trusted users only face lower risk. Multi-tenant or open-registration WordPress environments are highest priority.
Exploitability
Exploitability is moderate to high. The attack requires valid login credentials, but Subscriber is the lowest privilege level on WordPress, making it easy for an attacker to register a test account on open sites or exploit a compromised low-privilege account. No user interaction is required once authenticated, and the two-request chain is simple to execute via standard HTTP requests or browser automation. The vulnerability is not listed in the Known Exploited Vulnerabilities (KEV) catalog, but the straightforward nature of the flaw means public proof-of-concept code could emerge quickly once details circulate.
Remediation
Upgrade the Charitable plugin to a patched version released after June 17, 2026 (verify against the vendor advisory). The fix should include ownership validation in the save_avatar() function to confirm that the attachment ID belongs to the authenticated user before deletion, and should sanitize or reject raw posted values in process_picture(). Pending patch availability, restrict Subscriber account creation, disable avatar upload functionality if not essential, or reduce plugin features to trusted user roles only.
Patch guidance
Check the Charitable plugin repository and vendor advisory for the first version released after the June 17, 2026 modification date that addresses this IDOR issue. Apply the update as soon as it becomes available. Test in a staging environment to confirm avatar functionality remains intact. If a patch is not yet available or your timeline does not permit immediate upgrade, implement role-based restrictions to disable the avatar feature for Subscriber-level users via hooks or custom code.
Detection guidance
Monitor server logs and WordPress audit plugins for repeated profile update requests from low-privilege accounts, particularly those with no corresponding successful file uploads (indicators of the poisoning step). Watch for sudden or unusual deletion of media library attachments. Enable WordPress security logging to track calls to wp_delete_attachment() and correlate them with profile form submissions. A Web Application Firewall (WAF) rule targeting repeated POST requests to the profile avatar endpoint from the same user within a short window may help catch automated attacks.
Why prioritize this
Although the CVSS score of 4.3 (MEDIUM) reflects limited scope (no confidentiality impact, low integrity impact to the site itself), the functional ease of exploitation and the direct link to active functionality make this a practical priority for any organization running Charitable with open or semi-open user registration. Data loss—even partial—can have contractual, reputational, or compliance implications. Prioritize this above truly low-risk flaws, but below critical or high-severity vulnerabilities affecting authentication or remote code execution.
Risk score, explained
The CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N score of 4.3 (MEDIUM) reflects: network-accessible vector (AV:N), low attack complexity (AC:L), requirement for low-privilege authentication (PR:L), no user interaction needed (UI:N), and impact limited to integrity (deletion of attachments owned by others, I:L) with no confidentiality or availability impact on other assets. The score does not amplify risk for community-driven sites or reflect business context—apply your own organizational risk multipliers based on user base size and content criticality.
Frequently asked questions
Does this vulnerability allow remote code execution or site takeover?
No. The flaw is confined to unauthorized deletion of Media Library attachments. It does not grant access to database, configuration files, or admin panels, and does not lead to RCE. A more critical vulnerability would be needed to fully compromise a site.
What if our WordPress site is not open to public registration?
Risk is substantially lower. If all user accounts are managed internally and you trust your staff, exposure is minimal. However, if any subscriber-level account is compromised via phishing or password reuse, the attack becomes possible. Continue to monitor and patch, but adjust your priority accordingly.
Can we disable this feature without removing the entire Charitable plugin?
Possibly, depending on the plugin's architecture. Some WordPress plugins allow disabling individual features via settings or code hooks. Review the Charitable documentation or contact the vendor to confirm whether the avatar upload can be disabled without breaking donation functionality. A temporary workaround may be to remove Subscriber capabilities to edit their profile until a patch is available.
Is this vulnerability actively exploited in the wild?
As of the modification date (June 17, 2026), the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. However, the simplicity of the flaw makes it a candidate for rapid weaponization once public details emerge. Do not delay patching in anticipation of a proof-of-concept release.
This analysis is based on the CVE record and vendor advisory as of June 2026. Patch availability, version numbers, and workarounds should be verified against the official Charitable plugin repository and vendor security advisories before deployment. SEC.co provides this information for situational awareness and does not guarantee accuracy of third-party vendor statements. Organizations should conduct their own risk assessment and testing in non-production environments prior to applying patches or implementing workarounds. No exploit code or detailed attack steps are provided in this analysis. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10154MEDIUMDolibarr ERP CRM Authorization Bypass in Messaging Module
- CVE-2026-10212MEDIUMAstrBot 4.24.2 Authorization Bypass via Session ID Manipulation
- CVE-2026-10597MEDIUMOMICARD EDM Unauthenticated Email Disclosure Vulnerability
- CVE-2026-11142MEDIUMChrome Paint Same-Origin Policy Bypass Vulnerability
- CVE-2026-23638MEDIUMKiteworks IDOR Vulnerability in Secure Data Forms – Patch Guidance
- CVE-2026-24753MEDIUMKiteworks IDOR Vulnerability in Secure Data Forms – Patch to 9.3.0
- CVE-2026-24755MEDIUMKiteworks IDOR Authorization Flaw in Secure Data Forms
- CVE-2026-24756MEDIUMKiteworks IDOR Vulnerability – Unauthorized Data Modification Risk