WP Fundraising Donation and Crowdfunding Platform < 1.5.0 - Unauthenticated SQLi
Description
The WP Fundraising Donation and Crowdfunding Platform WordPress plugin before 1.5.0 does not sanitise and escape a parameter before using it in a SQL statement via one of it's REST route, leading to an SQL injection exploitable by unauthenticated users
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/WP Fundraising Donation and Crowdfunding Platformdescription
- Range: <1.5.0
Patches
Vulnerability mechanics
Root cause
"Missing input sanitization and escaping of a parameter used in a SQL statement via a REST route allows SQL injection."
Attack vector
An unauthenticated attacker sends a crafted HTTP request to one of the plugin's REST API endpoints. The plugin fails to sanitize and escape a parameter before using it in a SQL statement, allowing the attacker to inject arbitrary SQL commands [ref_id=1]. Because the endpoint is accessible without authentication, any remote attacker can exploit this SQL injection to extract or modify database contents [CWE-89].
Affected code
The advisory does not specify the exact file or function name. The vulnerable code resides in a REST route of the WP Fundraising Donation and Crowdfunding Platform plugin, versions before 1.5.0 [ref_id=1].
What the fix does
The advisory states the vulnerability is fixed in version 1.5.0 of the plugin [ref_id=1]. No patch diff is provided in the bundle, but the fix presumably adds proper sanitization and escaping of the unsanitized parameter before it is used in the SQL query, preventing injection [CWE-89].
Preconditions
- configThe WP Fundraising Donation and Crowdfunding Platform plugin must be installed and active in a version before 1.5.0.
- networkThe attacker must have network access to the WordPress site's REST API endpoints.
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/fbc71710-123f-4c61-9796-a6a4fd354828mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.