Vulnerabilities ›

CVE-2026-3177

Medium

CWE-345 — Weakness Type

                    Published: Apr 7, 2026                      ·  Modified: Apr 10, 2026                      ·  Source: NVD                

CVSS v3

5.3

🔗 NVD Official

📄 Description (English)

The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 1.8.9.7. This is due to missing cryptographic verification of incoming Stripe webhook events. This makes it possible for unauthenticated attackers to forge payment_intent.succeeded webhook payloads and mark pending donations as completed without a real payment.

🤖 AI Executive Summary

The Charitable Donation Plugin for WordPress fails to verify Stripe webhook authenticity, allowing attackers to forge payment confirmations. Unauthenticated attackers can mark donations as completed without actual payment processing.

📄 Description (Arabic)

تفتقر إضافة Charitable للتحقق من صحة أحداث webhook الواردة من Stripe، مما يسمح للمهاجمين بتزوير رسائل نجاح الدفع. يمكن للمهاجمين غير المصرح لهم تحديث حالة التبرعات إلى مكتملة دون معالجة دفع فعلية. هذا يؤثر على سلامة البيانات المالية والثقة في أنظمة التبرعات الخيرية.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: May 30, 2026 02:39

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

banking healthcare government

🎯 MITRE ATT&CK Techniques

T1190 T1566 T1583

⚖️ Saudi Risk Score (AI)

7.0

/ 10.0

🔧 Remediation Steps (English)

Update the Charitable plugin to version 1.8.9.8 or later immediately. Verify Stripe webhook signatures using Stripe's official verification methods. Implement additional server-side payment validation before marking donations as completed. Monitor webhook logs for suspicious activity.

🔧 خطوات المعالجة (العربية)

قم بتحديث إضافة Charitable إلى الإصدار 1.8.9.8 أو أحدث فوراً. تحقق من توقيعات Stripe webhook باستخدام طرق التحقق الرسمية من Stripe. طبق التحقق الإضافي من الدفع على جانب الخادم قبل تحديد التبرعات كمكتملة. راقب سجلات webhook للنشاط المريب.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC-1.1 ECC-2.1 ECC-3.2

🔵 SAMA CSF

ID.BE-1 PR.AC-1 PR.DS-1

🟡 ISO 27001:2022

A.14.2.1 A.14.2.5 A.12.6.1

🔗 References & Sources 2

🔗

https://plugins.trac.wordpress.org/changeset/3485023/charitable

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/bc3b2645-7b57-4884-99c5-e37db...

security@wordfence.com

📊 CVSS Score

5.3

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityN — None / Network

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score5.3

CWECWE-345

EPSS0.01%

Exploit No

Patch ✗ No

Published 2026-04-07

Source Feed nvd

🇸🇦 Saudi Risk Score

7.0

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-345

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-3177

💬 Comments

Introduce Yourself

Sign In Required