Plattform
wordpress
Komponente
wp_attractivedonationssystem
Behoben in
1.25.1
CVE-2026-28115 describes a critical SQL Injection vulnerability discovered in the WP Attractive Donations System - Easy Stripe & Paypal donations WordPress plugin. This flaw allows attackers to perform blind SQL injection, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 through 1.25. A patch is expected to be released by the vendor.
The SQL Injection vulnerability in WP Attractive Donations System allows an attacker to bypass authentication and directly interact with the underlying database. By crafting malicious SQL queries, an attacker can extract sensitive information such as user credentials (usernames, passwords, email addresses), donation amounts, and potentially even financial data stored within the plugin's database. The blind nature of the injection means the attacker doesn't receive direct feedback from the database, requiring them to use techniques like time-based or boolean-based injection to infer the data. This makes detection more difficult. Successful exploitation could lead to complete compromise of the WordPress site and its associated data, potentially impacting the organization's reputation and financial stability.
CVE-2026-28115 was publicly disclosed on 2026-03-05. The vulnerability is currently not listed on the CISA KEV catalog, and no public proof-of-concept exploits have been identified as of this writing. However, the severity of the vulnerability (CRITICAL) and the ease of exploitation associated with SQL injection suggest that it could become a target for malicious actors. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
WordPress sites utilizing the WP Attractive Donations System plugin, particularly those running older, unpatched versions (0.0.0–1.25), are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "wp_attractive_donations_system" /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep wp_attractive_donations_system• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-content/plugins/wp-attractive-donations-system/ | grep -i 'SQL Injection'disclosure
Exploit-Status
EPSS
0.04% (12% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-28115 is to upgrade to a patched version of the WP Attractive Donations System plugin as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. A Web Application Firewall (WAF) can be configured to filter out potentially malicious SQL injection attempts targeting the plugin's endpoints. Specifically, look for rules that detect common SQL injection patterns and block requests containing those patterns. Additionally, review and restrict database user permissions to limit the potential damage from a successful attack. After upgrade, confirm by attempting a series of SQL injection tests on the plugin's endpoints to ensure the vulnerability is resolved.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Schwachstelle im Detail und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihrer Organisation um. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-28115 is a critical SQL Injection vulnerability affecting the WP Attractive Donations System WordPress plugin, allowing attackers to potentially extract sensitive data and compromise the site.
If you are using WP Attractive Donations System versions 0.0.0 through 1.25, you are potentially affected by this vulnerability. Check your plugin version immediately.
Upgrade to the latest version of the WP Attractive Donations System plugin as soon as a patch is released. Until then, disable the plugin or implement temporary workarounds like input validation.
While no active exploitation has been confirmed, the ease of exploitation associated with SQL injection suggests it is likely to be targeted soon.
Please refer to the vendor's website or WordPress plugin repository for the official advisory and patch release information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.