CVE-2026-7619: SQL Injection in Charitable WordPress Plugin

An attacker exploiting CVE-2026-7619 could gain unauthorized access to the WordPress database. This could involve extracting sensitive information such as donor names, email addresses, donation amounts, and potentially even payment details if stored in the database. Successful exploitation requires the attacker to have administrative privileges within the WordPress donation management area (specifically the editothersdonations capability). The blast radius extends to all data stored within the plugin's database tables. While the vulnerability requires authentication, the widespread use of WordPress and the plugin's popularity make it a significant risk, particularly for organizations handling sensitive financial data. This vulnerability shares similarities with other SQL injection flaws where attackers can bypass authentication and gain control of the database.

1. Reserved2026-05-01
2. Veröffentlicht2026-05-13

The primary mitigation for CVE-2026-7619 is to immediately upgrade the Charitable WordPress plugin to version 1.8.10.5 or later. If upgrading is not immediately possible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious SQL injection attempts targeting the 's' parameter. Specifically, look for unusual characters or SQL keywords within the parameter value. Additionally, review and restrict user permissions within the WordPress donation management area, limiting the editothersdonations capability to only those who absolutely require it. After upgrading, verify the fix by attempting a SQL injection attack on the vulnerable parameter using a safe, non-destructive query to confirm that the escaping mechanism is now functioning correctly.