High severity8.8NVD Advisory· Published Aug 1, 2024· Updated Jun 17, 2026
CVE-2024-6698
CVE-2024-6698
Description
The FundEngine plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.7.0. This is due to the plugin not properly verifying user meta updated through the update_user_meta function. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their user meta which can be leveraged to update their capabilities to gain administrator access.
Affected products
2- Range: <=1.7.0
- roxnor/FundEngine – Donation and Crowdfunding Platformv5Range: 0
Patches
Vulnerability mechanics
References
2- plugins.trac.wordpress.org/changesetnvdPatch
- www.wordfence.com/threat-intel/vulnerabilities/id/2ec6cf42-291b-452d-ad14-80ae1cd5ec5cnvdThird Party Advisory
News mentions
0No linked articles in our index yet.