CVE Alert: CVE-2025-11893 – smub – Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More

Risk verdict

High risk. Authenticated SQL injection via a donation parameter enables data exposure for users with Subscriber-level access; treat as priority 1 if KEV is flagged or the EPSS indicates exploitable risk.

Why this matters

Donor and site data stored by the donation feature could be read or exfiltrated, potentially exposing personal information and donation history. The combination of low attack complexity and authenticated prerequisites makes targeted misuse feasible on compromised WordPress sites with this plugin enabled.

Most likely attack path

An attacker already logged in as Subscriber+ navigates to the donation workflow and submits a crafted donation_ids value. Due to insufficient escaping and unprepared SQL, the attacker appends malicious SQL, allowing data leakage or broader DB access. Because the vulnerability is network-accessible to the site (no user interaction beyond authentication) and requires only Low privileges, it lowers the barrier for exploitation, with potential steps to access related tables under the same DB scope.

Who is most exposed

Sites running this donation plugin on WordPress, especially those with donor records and payments processing enabled, are at highest risk. Small to mid-sized charities and organisations hosting donor data publicly or with open donation forms are typical deployment scenarios.

Detection ideas

• Monitor for SQL error patterns and unusual database query structures in donation endpoints.
• Alerts for multi-statement SQL in donation submission requests.
• Unusual spikes in data read from donor-related tables after login.
• WAF/IDS flags for injection patterns targeting donation_ids parameters.

Mitigation and prioritisation

• Apply the latest patched version of the donation plugin or disable the vulnerable feature if patching isn’t feasible.
• Enforce least-privilege DB accounts and separate application DB user for the WordPress site.
• Implement input validation and parameterised queries at the application layer; add a Web Application Firewall rule targeting multi-statement SQL injections in donation endpoints.
• Test in a staging environment before rollout; implement change-control notes and rollback plan.
• If KEV is true or EPSS ≥ 0.5, treat as priority 1. If not, still prioritise due to high impact and authenticated access requirements.