Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More < 1.8.10 – Insufficient Verification of Data Authenticity to Unauthenticated Donation Status Forgery via Stripe Webhook | CVE 2026-3177 | Plugin Vulnerabilities

Description

The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 1.8.9.7. This is due to missing cryptographic verification of incoming Stripe webhook events. This makes it possible for unauthenticated attackers to forge payment_intent.succeeded webhook payloads and mark pending donations as completed without a real payment.

Affects Plugins

Fixed in 1.8.10

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/bc3b2645-7b57-4884-99c5-e37dbd4a9600

Classification

Type

CONTENT INJECTION

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Andrés Cruciani

Verified

No

WPVDB ID

ae3274d2-9146-41df-a1be-9cc45bbf43cb

Timeline

Publicly Published

2026-04-06 (about 1 month ago)

Added

2026-04-06 (about 1 month ago)

Last Updated

2026-04-07 (about 1 month ago)

Other

Published

Title

Published

2021-07-12

Title

Frontend File Manager < 18.3 - Unauthenticated HTML Injection

Published

2021-09-23

Title

Ark Comment Editor <= 2.15.6 - Iframe Injection via Comment

Published

2025-06-05

Title

Profile Builder < 3.13.9 - Unauthenticated Content Spoofing

Published

2024-05-14

Title

Insert or Embed Articulate Content into WordPress <= 4.3000000025 - Iframe Injection

Published

2024-06-03

Title

Claudio Sanches – Checkout Cielo for WooCommerce <= 1.1.0 - Insufficient Verification of Data Authenticity to Order Payment Status Update