CVE-2026-10038
Description
WordPress Charitable plugin up to 1.8.11.1 allows authenticated users to delete arbitrary attachments via profile avatar updates.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WordPress Charitable plugin up to 1.8.11.1 allows authenticated users to delete arbitrary attachments via profile avatar updates.
Vulnerability
The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insecure Direct Object Reference / Authorization Bypass leading to Arbitrary Attachment Deletion in versions up to, and including, 1.8.11.1. This vulnerability exists within the profile avatar update flow, specifically in the save_avatar() function which calls wp_delete_attachment() without verifying ownership of the attachment ID [3]. The Charitable_Data_Processor::process_picture() function can return a raw posted value when no file is uploaded, allowing an attacker to poison the 'avatar' user meta with any attachment ID [3].
Exploitation
An authenticated attacker with at least Subscriber-level access can exploit this vulnerability. The attack requires a two-request chain. First, the attacker poisons the user's 'avatar' meta value with the ID of an arbitrary attachment they wish to delete. Second, the attacker triggers the normal avatar update process, which will then attempt to delete the attachment ID that was previously poisoned into the meta value [3].
Impact
Successful exploitation allows an attacker to delete arbitrary attachments from the WordPress Media Library. This can lead to the removal of important site assets, potentially disrupting site functionality or content. The attacker gains the ability to delete any attachment, regardless of who uploaded it or its association with other content.
Mitigation
The vulnerability was fixed in version 1.8.11.2 of the Charitable plugin. Users are advised to update to this version or later. No workarounds are available. The plugin is not listed on the Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on Jun 6, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
1r3557047Vulnerability mechanics
Root cause
"The save_avatar() function fails to validate attachment ownership before deletion, allowing arbitrary attachment removal."
Attack vector
An authenticated attacker with at least Subscriber-level access can exploit this vulnerability. The attack involves a two-request chain: first, the attacker poisons the user's 'avatar' meta value with the ID of an arbitrary attachment they wish to delete. This is possible because Charitable_Data_Processor::process_picture() returns the raw posted value when no file is uploaded. Second, the attacker triggers the deletion process via a normal avatar update, leading to the removal of the targeted attachment from the Media Library.
Affected code
The vulnerability lies within the save_avatar() function in the Charitable plugin. Specifically, it calls wp_delete_attachment() on an attachment ID retrieved from the user's 'avatar' meta without proper ownership validation. The Charitable_Data_Processor::process_picture() function also contributes by returning raw posted values when no file is uploaded, enabling meta value poisoning.
What the fix does
The patch, identified by [patch_id=4962413], modifies the save_avatar() function. It introduces a check to ensure that the attachment being deleted is actually owned by the current user before proceeding with the deletion. This validation prevents attackers from deleting attachments that do not belong to them, thereby closing the arbitrary attachment deletion vulnerability.
Preconditions
- authAttacker must be authenticated with at least Subscriber-level access.
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/abstracts/abstract-class-charitable-form.phpnvd
- plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/forms/class-charitable-profile-form.phpnvd
- plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/forms/class-charitable-profile-form.phpnvd
- plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/users/class-charitable-user.phpnvd
- plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/utilities/class-charitable-data-processor.phpnvd
- plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/abstracts/abstract-class-charitable-form.phpnvd
- plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/forms/class-charitable-profile-form.phpnvd
- plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/forms/class-charitable-profile-form.phpnvd
- plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/users/class-charitable-user.phpnvd
- plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/utilities/class-charitable-data-processor.phpnvd
- plugins.trac.wordpress.org/changeset/3557047/charitable/trunk/includes/forms/class-charitable-profile-form.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/657bea00-9709-48b8-807a-c9a18b0aee1dnvd
News mentions
0No linked articles in our index yet.