Platform
wordpress
Component
wp_attractivedonationssystem
Fixed in
1.25.1
CVE-2026-28115 describes a SQL Injection vulnerability discovered in the WP Attractive Donations System - Easy Stripe & Paypal donations WordPress plugin. This flaw allows attackers to potentially bypass authentication and extract sensitive data from the database. The vulnerability affects versions from 0.0.0 up to and including 1.25. A patch is expected to be released by the vendor.
The SQL Injection vulnerability in WP Attractive Donations System allows an attacker to inject malicious SQL code into database queries. Successful exploitation could lead to unauthorized access to sensitive information, including user credentials, donation data, and potentially other application data stored in the database. Depending on the database configuration and permissions, an attacker might even be able to modify or delete data, leading to a complete compromise of the WordPress site. This vulnerability is particularly concerning because it allows for blind SQL injection, meaning the attacker doesn't need to see the results of their queries directly, making detection more difficult.
CVE-2026-28115 was publicly disclosed on 2026-03-05. The vulnerability is considered high probability due to the ease of exploitation associated with SQL injection and the lack of immediate mitigation options beyond plugin updates. No public proof-of-concept code has been released at the time of writing, but the nature of the vulnerability suggests that it is likely to be exploited in the near future. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-28115 is to upgrade to a patched version of the WP Attractive Donations System plugin as soon as it becomes available. Until a patch is released, consider temporarily disabling the plugin to prevent exploitation. As a short-term workaround, implement strict input validation and sanitization on all user-supplied data used in SQL queries. Web Application Firewalls (WAFs) configured with rules to detect and block SQL injection attempts can also provide an additional layer of protection. Monitor WordPress logs for suspicious database activity.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28115 is a critical SQL Injection vulnerability affecting the WP Attractive Donations System WordPress plugin, allowing attackers to potentially extract sensitive data and compromise the site.
If you are using WP Attractive Donations System versions 0.0.0 through 1.25, you are potentially affected by this vulnerability. Check your plugin version immediately.
Upgrade to the latest version of the WP Attractive Donations System plugin as soon as a patch is released. Until then, disable the plugin or implement temporary workarounds like input validation.
While no active exploitation has been confirmed, the ease of exploitation associated with SQL injection suggests it is likely to be targeted soon.
Please refer to the vendor's website or WordPress plugin repository for the official advisory and patch release information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.