CVE-2026-39691

The Cryptocurrency Donation Box plugin for WordPress versions up to 2.2.13 suffers from a missing authorization vulnerability. The plugin fails to properly check user permissions or nonce tokens in certain functions, leading to broken access control. This flaw allows unauthenticated or low-privileged users to execute actions that should require higher privileges [1].

The vulnerability can be exploited by sending crafted requests to the plugin's endpoints without proper authentication. Attackers do not need special network access beyond being able to reach the WordPress site. The reference notes that such issues are commonly used in mass-exploit campaigns targeting thousands of sites regardless of size or popularity [1].

Successful exploitation could allow an attacker to perform unauthorized actions, such as modifying donation settings, accessing sensitive data, or disrupting the plugin's functionality. The impact is limited by the plugin's specific capabilities, but could lead to further compromise depending on the site's configuration.

As an immediate mitigation, users should update the plugin to a patched version. If updating is not possible, contacting the hosting provider or a web developer for assistance is recommended [1].