CVE-2025-58999

Vulnerability

Analysis

The WP Attractive Donations System plugin for WordPress suffers from a Cross-Site Request Forgery (CSRF) vulnerability due to missing nonce validation. This allows attackers to craft malicious requests that can be triggered by privileged users, such as administrators, leading to unintended actions performed under their session [1].

Exploitation

Conditions

Exploitation requires the victim to be logged into the WordPress site with higher privileges and to interact with a crafted link, form, or page. No prior authentication is needed for the attacker, but user interaction from an authenticated privileged user is essential [1].

Impact

A successful CSRF attack can force the authenticated user to modify plugin settings, change donation preferences, or execute other plugin-specific actions without their consent, potentially disrupting the donation system and affecting website operations [1].

Mitigation

The vulnerability affects all versions up to and including 1.25. Users are advised to update the plugin to the latest available version or remove it if no update is provided. Immediate action is recommended as these vulnerabilities are used in mass-exploit campaigns [1].