CVE-2025-47459

The FundEngine plugin for WordPress (wp-fundraising-donation) versions up to 1.7.3 contain a Cross-Site Request Forgery (CSRF) vulnerability [1]. The root cause is the absence of proper CSRF protection mechanisms (such as nonce validation) on sensitive actions, enabling an attacker to craft malicious requests that are executed under the identity of a higher-privileged user [1].

Exploitation requires user interaction—the victim (a logged-in administrator or other privileged role) must click a crafted link, submit a malicious form, or visit a page designed by the attacker [1]. This does not require any authentication from the attacker, as the victim's active session is hijacked to perform the attacker's intent.

Successful exploitation could allow an attacker to force the victim to change plugin settings, create fraudulent donations, or initiate other unintended state-changing operations within the WordPress site, all under the victim's current session [1].

As of version 1.7.4 of the FundEngine plugin, the CSRF vulnerability has been patched [1]. Users are strongly advised to update to version 1.7.4 or later. For Patchstack subscribers, auto-updates can be enabled to protect vulnerable installations automatically [1].