FundPress WordPress Donation Plugin Authorization Bypass Vulnerability

A vulnerability allowing authorization bypass has been identified in the FundPress WordPress Donation Plugin, affecting versions through 2.0.8. The issue arises from inadequate authorization and nonce verification in the 'donate_action_status' AJAX handler, which is accessible to unauthenticated users. The handler only checks for the presence of certain POST parameters and that the schema parameter is set to 'donate-ajax', but it does not validate user capabilities or donation ownership. This flaw enables unauthenticated attackers to manipulate the status of any donation by sending its ID, which is a sequential integer and easily guessable. Attackers can change donation statuses to completed, pending, or cancelled, potentially triggering email notifications and other related effects.

Impact

Exploitation of this vulnerability allows unauthorized users to change the status of donations, which could disrupt the intended functionality of the donation system and cause incorrect status notifications to be sent.

Reproduction

To reproduce this vulnerability, send a POST request to the 'wp_ajax_nopriv_donate_action_status' AJAX endpoint. Include the 'schema' parameter set to 'donate-ajax', the 'donate_id' parameter with the ID of the donation to be modified, and the 'status' parameter with the desired new status. The request can be made without authentication, taking advantage of the missing authorization checks.

Remediation

Users are advised to update to FundPress version 2.0.9 or later, where this vulnerability has been addressed.