CVE-2026-7619 - Vulnerability Details

The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 1.8.10.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with access to the donation management admin area (requiring the edit_others_donations capability) and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Smub	Charitable – Donation Plugin For Wordpress – Fundraising With Recurring Donations & More
Wordpress	Wordpress

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.4/includes/admin/donations/class-charitable-donation-list-table.php#L837
https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.4/includes/donations/class-charitable-donations.php#L89
https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.9.7/includes/admin/donations/class-charitable-donation-list-table.php#L837
https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.9.7/includes/donations/class-charitable-donations.php#L89
https://plugins.trac.wordpress.org/browser/charitable/trunk/includes/admin/donations/class-charitable-donation-list-table.php#L837
https://plugins.trac.wordpress.org/browser/charitable/trunk/includes/donations/class-charitable-donations.php#L89
https://plugins.trac.wordpress.org/changeset/3529172/charitable/trunk/includes/donations/class-charitable-donations.php?old=3209943&old_path=charitable%2Ftrunk%2Fincludes%2Fdonations%2Fclass-charitable-donations.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/950bed9d-8698-4aa0-86a4-fac9e07bb42b?source=cve

History

Wed, 13 May 2026 11:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 13 May 2026 05:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Smub Smub charitable – Donation Plugin For Wordpress – Fundraising With Recurring Donations & More Wordpress Wordpress wordpress
Vendors & Products		Smub Smub charitable – Donation Plugin For Wordpress – Fundraising With Recurring Donations & More Wordpress Wordpress wordpress

Wed, 13 May 2026 04:45:00 +0000

Type	Values Removed	Values Added
Description		The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 1.8.10.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with access to the donation management admin area (requiring the edit_others_donations capability) and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title		Charitable <= 1.8.10.4 - Authenticated (Custom+) SQL Injection via 's' Search Parameter
Weaknesses		CWE-89
References		https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.4/includes/admin/donations/class-charitable-donation-list-table.php#L837 https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.4/includes/donations/class-charitable-donations.php#L89 https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.9.7/includes/admin/donations/class-charitable-donation-list-table.php#L837 https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.9.7/includes/donations/class-charitable-donations.php#L89 https://plugins.trac.wordpress.org/browser/charitable/trunk/includes/admin/donations/class-charitable-donation-list-table.php#L837 https://plugins.trac.wordpress.org/browser/charitable/trunk/includes/donations/class-charitable-donations.php#L89 https://plugins.trac.wordpress.org/changeset/3529172/charitable/trunk/includes/donations/class-charitable-donations.php?old=3209943&old_path=charitable%2Ftrunk%2Fincludes%2Fdonations%2Fclass-charitable-donations.php https://www.wordfence.com/threat-intel/vulnerabilities/id/950bed9d-8698-4aa0-86a4-fac9e07bb42b?source=cve
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-13T04:26:39.907Z

Updated: 2026-05-13T10:22:39.226Z

Reserved: 2026-05-01T13:19:14.129Z

Link: CVE-2026-7619

Vulnrichment

Updated: 2026-05-13T10:18:58.098Z

NVD

Status : Deferred

Published: 2026-05-13T05:16:24.603

Modified: 2026-05-13T14:43:46.717

Link: CVE-2026-7619

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object