Platform
wordpress
Component
charitable
Fixed in
1.8.10
CVE-2026-3177 is a security vulnerability affecting the Charitable donation plugin for WordPress. This issue stems from insufficient verification of data authenticity, specifically a lack of cryptographic verification for Stripe webhook events. A successful exploit could allow an attacker to forge payment confirmations, potentially leading to fraudulent donation marking and financial discrepancies. The vulnerability impacts versions of the plugin up to and including 1.8.9.7, but a patch is available in version 1.8.10.
CVE-2026-3177 affects the Charitable WordPress plugin, used for fundraising and recurring donations. The lack of proper cryptographic verification of Stripe webhook events allows unauthenticated attackers to forge payment_intent.succeeded payloads. This could result in pending donations being incorrectly marked as completed, even if no actual payment has been made. The primary impact is financial loss for charities, as non-existent donations will be recorded, and potential erosion of donor trust if discrepancies are detected. The severity is rated as CVSS 5.3, indicating a moderate risk. Updating the plugin to version 1.8.10 or higher is crucial to mitigate this risk.
An attacker could exploit this vulnerability by sending forged payment_intent.succeeded webhook payloads to the WordPress instance utilizing the Charitable plugin. These payloads, lacking proper cryptographic verification, would be accepted by the plugin, marking donations as completed. The attacker does not need direct server or database access; they only need to be able to send HTTP requests to the webhook endpoint configured for the plugin. The difficulty of exploitation is relatively low, as it does not require advanced technical skills or complex tools. The likelihood of exploitation depends on the plugin's popularity and the website administrator's awareness of this vulnerability.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The solution to CVE-2026-3177 is straightforward: update the Charitable WordPress plugin to version 1.8.10 or later. This update implements the necessary cryptographic verification to validate the authenticity of Stripe webhooks. Additionally, review recent donation records to identify any suspicious transactions that may have been created as a result of this vulnerability. Implementing regular financial transaction audits and monitoring WordPress security alerts are good practices to prevent future incidents. Ensure you perform a full website backup before applying any updates.
Update to version 1.8.10, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
A webhook is a way to receive real-time notifications when events occur in another application, in this case, Stripe. It allows Charitable to know when a payment has been completed.
Cryptographic verification ensures that webhooks originate from Stripe and haven't been tampered with by an attacker. Without it, an attacker can send false data and trick the plugin.
Carefully review recent donation records for suspicious transactions. If you find any, contact your bank and Stripe to investigate further.
There are no specific tools to detect this type of attack, but monitoring donation logs and looking for unusual patterns can help.
Keep WordPress, plugins, and themes updated. Use strong passwords and two-factor authentication. Perform regular website backups.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.