WP-Safety

FundEngine – Donation and Crowdfunding Platform Security & Risk Analysis

wordpress.org/plugins/wp-fundraising-donation

FundEngine - Fundraising Donation plugin and Crowdfunding Platform comes with Single donation and crowdfunding solution. You can use our plugin Either …

1K active installs v1.7.5 PHP 7.4+ WP 5.2+ Updated Jun 24, 2025
crowdfundingdonationdonationsfundfundraising
88
A · Safe
CVEs total5
Unpatched0
Last CVEAug 8, 2025
Plugin page Download
Safety Verdict

Is FundEngine – Donation and Crowdfunding Platform Safe to Use in 2026?

Generally Safe

Score 88/100

FundEngine – Donation and Crowdfunding Platform has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Aug 8, 2025Updated 9mo ago
Risk Assessment

The wp-fundraising-donation plugin v1.7.5 exhibits a mixed security posture, with some strong practices offset by significant vulnerabilities. While the plugin demonstrates good use of prepared statements for SQL queries (99%) and a high percentage of properly escaped output (87%), the presence of 3 'unserialize' function calls is a red flag, as this function is notoriously prone to deserialization vulnerabilities if not handled with extreme caution and proper input validation. Furthermore, the plugin has a considerable attack surface with 32 entry points, of which a concerning 21 are unprotected, including 2 AJAX handlers and all 19 REST API routes lacking permission callbacks. The taint analysis reveals 4 high-severity flows with unsanitized paths, indicating potential for exploitation.

Key Concerns

  • High severity taint flows found
  • Significant number of unprotected entry points
  • AJAX handlers without authentication
  • REST API routes without permission callbacks
  • Presence of 'unserialize' function
  • Vulnerability history: 1 critical CVE
  • Vulnerability history: 2 high CVEs
  • Vulnerability history: 2 medium CVEs
  • Common vulnerability types: RFI, CSRF, Auth issues, SQLi
  • Bundled libraries (Stripe PHP, Select2) may be outdated
Vulnerabilities
5

FundEngine – Donation and Crowdfunding Platform Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
2 CVEs in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
High
2
Medium
2

5 total CVEs

CVE-2025-48302high · 7.5Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

FundEngine <= 1.7.4 - Authenticated (Subscriber+) Local File Inclusion

Aug 8, 2025 Patched in 1.7.5 (4d)
CVE-2025-47459medium · 4.3Cross-Site Request Forgery (CSRF)

WP Fundraising Donation and Crowdfunding Platform <= 1.7.3 - Cross-Site Request Forgery

May 7, 2025 Patched in 1.7.4 (7d)
CVE-2024-6698high · 8.8Missing Authorization

FundEngine – Donation and Crowdfunding Platform <= 1.7.0 - Authenticated (Subscriber+) Privilege Escalation

Jul 31, 2024 Patched in 1.7.1 (1d)
CVE-2024-34758medium · 5.3Missing Authorization

WP Fundraising Donation and Crowdfunding Platform <= 1.6.4 - Missing Authorization

May 14, 2024 Patched in 1.7.0 (7d)
CVE-2022-0788critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Fundraising Donation and Crowdfunding Platform <= 1.4.2 - Unauthenticated SQL Injection

May 11, 2022 Patched in 1.5.0 (622d)
Code Analysis
Analyzed Mar 16, 2026

FundEngine – Donation and Crowdfunding Platform Code Analysis

Dangerous Functions
3
Raw SQL Queries
1
179 prepared
Unescaped Output
454
3102 escaped
Nonce Checks
24
Capability Checks
8
File Operations
1
External Requests
4
Bundled Libraries
2

Dangerous Functions Found

unserializereturn ( @unserialize( $result ) !== false ) ? unserialize( $result ) : $result;apps\settings.php:1168
unserializereturn ( @unserialize( $result ) !== false ) ? unserialize( $result ) : $result;apps\settings.php:1168
unserialize$addi = unserialize( $obj['_wfp_additional_data']->meta_value );views\admin\view-invoice.php:150

Bundled Libraries

Stripe PHPSelect2

SQL Query Safety

99% prepared180 total queries

Output Escaping

87% escaped3556 total outputs
Data Flows
7 unsanitized

Data Flow Analysis

16 flows7 with unsanitized paths
ajax_render_video_data (apps\featured.php:560)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
21 unprotected

FundEngine – Donation and Crowdfunding Platform Attack Surface

Entry Points32
Unprotected21

AJAX Handlers 4

authwp_ajax_featured_video_get_dataapps\featured.php:53
authwp_ajax_featured_video_modalapps\featured.php:55
authwp_ajax_ipn-ajax-wfpapps\payment\setup.php:44
noprivwp_ajax_ipn-ajax-wfpapps\payment\setup.php:45

REST API Routes 19

POST/wp-json/xs-donate-form/donate-submit/(?P<formid>\w+)/apps\content.php:269
GET/wp-json/xs-donate-form/payment-redirect/(?P<id>\w+)/apps\content.php:279
POST/wp-json/xs-fundraising-form/campaign-submit/(?P<formid>\w+)/apps\content.php:289
POST/wp-json/xs-profile-form/billing-submit/(?P<formid>\w+)/apps\content.php:299
POST/wp-json/xs-password-form/password-submit/(?P<formid>\w+)/apps\content.php:309
POST/wp-json/xs-login-form/user-login/(?P<formid>\w+)/apps\content.php:319
POST/wp-json/xs-register-form/user-register/(?P<formid>\w+)/apps\content.php:329
POST/wp-json/woc-redirectadd-to-cartapps\content.php:339
POST/wp-json/wfp-xs-auth/login/apps\content.php:349
POST/wp-json/wfp-xs-auth/register/apps\content.php:359
POST/wp-json/xs-review-form/user-review/(?P<formid>\w+)/apps\content.php:369
POST/wp-json/xs-update-form/user-update/(?P<formid>\w+)/apps\content.php:379
GET/wp-json/xs-review-form/delete-review/(?P<formid>\w+)/apps\content.php:390
GET/wp-json/xs-review-form/update-review/(?P<formid>\w+)/apps\content.php:401
GET/wp-json/xs-donate-form/donate-active/(?P<donateid>\w+)/apps\fundraising.php:1006
GET/wp-json/xs-donate-form/update_status/(?P<idd>\d+)/apps\fundraising.php:1017
GET/wp-json/xs-donate-form/payment-type-modify/(?P<donateid>\w+)/apps\fundraising.php:1028
POST/wp-json/wfp-stripe-payment/stripe-submit/(?P<id>\w+)/apps\payment\setup.php:58
GET/wp-json/xs-welcome-form/welcome-submit/(?P<formid>\w+)/apps\settings.php:160

Shortcodes 9

[wfp-forms] apps\content.php:56
[wfp_fundraising_form] apps\content.php:66
[wfp-auth-form] apps\content.php:67
[wfp-dashboard] apps\content.php:70
[wfp-success] apps\content.php:73
[wfp-checkout] apps\content.php:75
[wfp-cancel] apps\content.php:77
[wfp-campaign] apps\content.php:79
[wfp-donation-in-popup] apps\content.php:81
WordPress Hooks 64
actionwp_enqueue_scriptsapps\content.php:47
actioninitapps\content.php:50
actioninitapps\content.php:53
filtersingle_templateapps\content.php:84
filterthe_contentapps\content.php:87
filterthe_contentapps\content.php:90
filterthe_contentapps\content.php:93
actionwp_headapps\content.php:96
filterwfp_single_social_providersapps\content.php:98
actionrest_api_initapps\content.php:266
actioninitapps\donation-cpt.php:17
actionelementor/elements/categories_registeredapps\elementor\elements.php:26
actionelementor/widgets/widgets_registeredapps\elementor\elements.php:29
filterpost_thumbnail_htmlapps\featured.php:30
actionwp_enqueue_scriptsapps\featured.php:33
actionadd_meta_boxesapps\featured.php:43
actionadmin_footerapps\featured.php:47
actionadmin_enqueue_scriptsapps\featured.php:50
actionsave_postapps\featured.php:58
actioninitapps\fundraising-cpt.php:17
actioninitapps\fundraising.php:55
actioninitapps\fundraising.php:58
actionadmin_menuapps\fundraising.php:61
actionadmin_enqueue_scriptsapps\fundraising.php:64
actionadd_meta_boxesapps\fundraising.php:67
actionsave_postapps\fundraising.php:70
actionelementor/frontend/before_enqueue_scriptsapps\fundraising.php:87
actionrest_api_initapps\fundraising.php:1003
actionadd_meta_boxesapps\gallery.php:25
actionadmin_enqueue_scriptsapps\gallery.php:27
actionsave_postapps\gallery.php:29
actionadmin_enqueue_scriptsapps\gallery.php:198
filterwp_get_nav_menu_itemsapps\menu.php:62
filterwp_get_nav_menu_objectapps\menu.php:63
actionwp_enqueue_scriptsapps\payment\application\stripe\setup.php:110
actioninitapps\payment\setup.php:53
actionrest_api_initapps\payment\setup.php:55
actioninitapps\settings.php:39
filteruser_can_richeditapps\settings.php:42
actionadmin_enqueue_scriptsapps\settings.php:48
actionwp_enqueue_scriptsapps\settings.php:49
filtergettextapps\settings.php:51
actionwoocommerce_before_calculate_totalsapps\settings.php:64
actionrest_api_initapps\settings.php:157
actionwoocommerce_checkout_create_order_line_itemapps\wfpwoocommerce.php:250
filterwoocommerce_data_storesapps\wfpwoocommerce.php:251
filterwoocommerce_product_get_priceapps\wfpwoocommerce.php:252
actionwoocommerce_thankyouapps\wfpwoocommerce.php:253
filterwoocommerce_add_to_cart_redirectapps\wfpwoocommerce.php:254
actionrest_api_initbase\api.php:24
actionadmin_menucore\donation-report.php:14
actionwp_enqueue_scriptscore\enqueue-hook.php:11
actionadmin_enqueue_scriptscore\enqueue-hook.php:12
actioninitengine.php:25
filterdoing_it_wrong_trigger_errorplugin.php:71
filterthe_contentplugin.php:78
filterpost_row_actionsplugin.php:82
actionadmin_headutilities\plugins\plugins.php:61
actionadmin_menuutilities\plugins\plugins.php:227
actionelementor/elements/categories_registeredwidgets\manifest.php:17
actionelementor/widgets/widgets_registeredwidgets\manifest.php:18
actionwoocommerce_payment_completewoo\woo-hooks.php:13
actionplugins_loadedwp-fundraising.php:90
actionplugins_loadedwp-fundraising.php:107
Maintenance & Trust

FundEngine – Donation and Crowdfunding Platform Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJun 24, 2025
PHP min version7.4
Downloads62K

Community Trust

Rating84/100
Number of ratings22
Active installs1K
Alternatives

FundEngine – Donation and Crowdfunding Platform Alternatives

GiveWP – Donation Plugin and Fundraising Platform

GiveWP – Donation Plugin and Fundraising Platform

give

B
76

Accept donations and begin fundraising with GiveWP, the highest rated WordPress donation plugin for online giving.

100K 69 CVEs
Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More

Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More

charitable

B
80

The best WordPress donation plugin. Create fundraising donation forms, accept recurring donations, easy donor management, add crowdfunding, and more.

10K 14 CVEs
Leyka

Leyka

leyka

D
38

Leyka is a plugin for crowdfunding and donations collection via WordPress website.

2K 2 unpatched
Crowded Collect — Dues & Fundraising

Crowded Collect — Dues & Fundraising

crowded-collect-dues-fundraising

A
100

Embed your Crowded collection directly into your WordPress site with no coding required!

0 No CVEs
Project World Impact

Project World Impact

project-world-impact

A
100

Integrate PWI Crowdfund, PWI GroupGive, and PWI Storyteller features into your WordPress site with our powerful plugin for nonprofit partners.

0 No CVEs
Developer Profile

FundEngine – Donation and Crowdfunding Platform Developer Profile

Roxnor

15 plugins · 3.0M total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
118 days
View full developer profile
Detection Fingerprints

How We Detect FundEngine – Donation and Crowdfunding Platform

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-fundraising-donation/assets/css/wfp-donation-public.css/wp-content/plugins/wp-fundraising-donation/assets/css/wfp-donation-admin.css/wp-content/plugins/wp-fundraising-donation/assets/css/wfp-donation-elementor.css/wp-content/plugins/wp-fundraising-donation/assets/js/wfp-donation-public.js/wp-content/plugins/wp-fundraising-donation/assets/js/wfp-donation-admin.js/wp-content/plugins/wp-fundraising-donation/assets/js/wfp-donation-elementor.js/wp-content/plugins/wp-fundraising-donation/assets/js/wfp-donation-map.js/wp-content/plugins/wp-fundraising-donation/assets/js/wfp-donation-chart.js
Script Paths
/wp-content/plugins/wp-fundraising-donation/assets/js/wfp-donation-public.js/wp-content/plugins/wp-fundraising-donation/assets/js/wfp-donation-admin.js/wp-content/plugins/wp-fundraising-donation/assets/js/wfp-donation-elementor.js/wp-content/plugins/wp-fundraising-donation/assets/js/wfp-donation-map.js/wp-content/plugins/wp-fundraising-donation/assets/js/wfp-donation-chart.js
Version Parameters
wp-fundraising-donation/assets/css/wfp-donation-public.css?ver=wp-fundraising-donation/assets/css/wfp-donation-admin.css?ver=wp-fundraising-donation/assets/css/wfp-donation-elementor.css?ver=wp-fundraising-donation/assets/js/wfp-donation-public.js?ver=wp-fundraising-donation/assets/js/wfp-donation-admin.js?ver=wp-fundraising-donation/assets/js/wfp-donation-elementor.js?ver=wp-fundraising-donation/assets/js/wfp-donation-map.js?ver=wp-fundraising-donation/assets/js/wfp-donation-chart.js?ver=

HTML / DOM Fingerprints

CSS Classes
wfp-fundraising-donationwfp-donation-single-campaignwfp-donation-form-wrapperwfp-donate-buttonwfp-campaign-list-itemwfp-donation-progress-barwfp-donation-goalwfp-donation-amount+1 more
HTML Comments
<!-- Sample short code for login-registration --><!-- giving legacy support ; this line should be deleted after another one or two version later -->
Data Attributes
data-plugin='wp-fundraising-donation'
JS Globals
wfp_donation_paramsWfpFundraisingPublicWfpFundraisingAdmin
REST Endpoints
/wp-json/wp-fundraising-donation/v1/donate/wp-json/wp-fundraising-donation/v1/campaigns/wp-json/wp-fundraising-donation/v1/backers
Shortcode Output
[wfp-forms][wfp_fundraising_form][wfp-auth-form][wfp-dashboard]
FAQ

Frequently Asked Questions about FundEngine – Donation and Crowdfunding Platform