📄 Description (English)
The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 1.8.10.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with access to the donation management admin area (requiring the edit_others_donations capability) and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
🤖 AI Executive Summary
The Charitable WordPress donation plugin versions up to 1.8.10.4 contain a SQL injection vulnerability in the 's' parameter affecting authenticated users with donation management capabilities. While requiring admin-level access to exploit, successful attacks could expose sensitive database information including donor records, financial data, and user credentials. No patch is currently available, requiring immediate mitigation through plugin disabling or alternative solutions.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 15, 2026 03:20
🇸🇦 Saudi Arabia Impact Assessment
Saudi charitable organizations, Islamic NGOs, and Waqf institutions using WordPress with the Charitable plugin face significant risk of donor database compromise. Banking sector exposure is moderate if integrated with payment gateways. Government entities managing public donations or zakat programs could face data breach implications affecting citizen privacy. Healthcare and education sectors running fundraising campaigns are at risk. The vulnerability particularly threatens organizations subject to SAMA financial reporting requirements and NCA data protection mandates, as donor financial information and personal data could be extracted.
🏢 Affected Saudi Sectors
Charitable Organizations & NGOs
Islamic Waqf Institutions
Healthcare (fundraising operations)
Education (fundraising operations)
Government (public donation programs)
Banking (if integrated with payment processing)
Telecommunications (corporate social responsibility programs)
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all WordPress installations for Charitable plugin presence and version (check wp-content/plugins/charitable/charitable.php)
2. Restrict admin access to donation management area to only essential personnel
3. Review database access logs for suspicious SQL queries in the past 90 days
4. Disable the plugin immediately if not actively used for fundraising
COMPENSATING CONTROLS:
1. Implement Web Application Firewall (WAF) rules to block SQL injection patterns in 's' parameter
2. Apply database-level access controls limiting donation table queries to application service accounts
3. Enable WordPress security plugins (Wordfence, Sucuri) with SQL injection detection
4. Implement database activity monitoring (DAM) to detect anomalous queries
5. Apply principle of least privilege - remove edit_others_donations capability from non-essential admin accounts
DETECTION RULES:
1. Monitor for SQL keywords (UNION, SELECT, DROP, INSERT) in HTTP requests containing 's=' parameter
2. Alert on database queries containing unexpected UNION statements from WordPress application user
3. Track failed authentication attempts to donation admin pages
4. Monitor for unusual database connection patterns or query volumes
PATCHING STRATEGY:
1. Contact Charitable plugin developers for security update timeline
2. Evaluate alternative donation plugins (GiveWP, Donorbox) with active security maintenance
3. If plugin is critical, consider custom code review and patching by qualified WordPress security developer
4. Plan migration timeline to patched or alternative solution
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع تثبيتات WordPress للتحقق من وجود مكون Charitable والإصدار
2. تقييد الوصول إلى منطقة إدارة التبرعات للموظفين الأساسيين فقط
3. مراجعة سجلات الوصول إلى قاعدة البيانات عن استعلامات SQL المريبة في آخر 90 يوماً
4. تعطيل المكون فوراً إذا لم يكن قيد الاستخدام النشط
الضوابط التعويضية:
1. تطبيق قواعد جدار حماية تطبيقات الويب لحجب أنماط حقن SQL في معامل 's'
2. تطبيق ضوابط الوصول على مستوى قاعدة البيانات
3. تفعيل مكونات أمان WordPress (Wordfence, Sucuri) مع كشف حقن SQL
4. تطبيق مراقبة نشاط قاعدة البيانات للكشف عن الاستعلامات الشاذة
5. تطبيق مبدأ الحد الأدنى من الامتيازات
قواعد الكشف:
1. مراقبة كلمات SQL الرئيسية في طلبات HTTP تحتوي على معامل 's='
2. التنبيه على استعلامات قاعدة البيانات التي تحتوي على عبارات UNION غير متوقعة
3. تتبع محاولات المصادقة الفاشلة لصفحات إدارة التبرعات
4. مراقبة أنماط اتصال قاعدة البيانات غير العادية
استراتيجية التصحيح:
1. الاتصال بمطوري مكون Charitable للحصول على جدول زمني لتحديث الأمان
2. تقييم مكونات التبرع البديلة ذات الصيانة الأمنية النشطة
3. إذا كان المكون حرجاً، فكر في مراجعة الكود المخصص والتصحيح
4. التخطيط لجدول زمني للهجرة إلى حل معدل أو بديل
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for supplier relationships
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.12.2.1 - Establishment of information security baselines
ECC 2024 A.5.23 - Protection of personally identifiable information
🔵 SAMA CSF
SAMA CSF ID.BE-3 - Organizational resilience objectives
SAMA CSF PR.DS-1 - Data security and privacy protections
SAMA CSF PR.AC-1 - Access control policies and procedures
SAMA CSF DE.CM-1 - Detection and analysis of anomalies
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access control
ISO 27001:2022 A.8.22 - Information security for supplier relationships
ISO 27001:2022 A.8.32 - Change management
ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security patches and updates
PCI DSS 6.5.1 - Injection flaws prevention
PCI DSS 7.1 - Limit access to cardholder data
PCI DSS 10.2 - Implement automated audit trails
🔗 References & Sources 8
🔗
🔗
🔗
🔗
🔗
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.4/includes/admin/dona...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.4/includes/donations/...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.9.7/includes/admin/donat...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.9.7/includes/donations/c...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/charitable/trunk/includes/admin/donations/cl...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/charitable/trunk/includes/donations/class-ch...
security@wordfence.com
https://plugins.trac.wordpress.org/changeset/3529172/charitable/trunk/includes/donation...
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/950bed9d-8698-4aa0-86a4-fac9e...
security@wordfence.com