PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-57406 Roxnor CVE debrief

A Missing Authorization vulnerability in Roxnor FundEngine wp-fundraising-donation allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects FundEngine: from n/a through <= 1.7.6. The vulnerability has a CVSS score of 6.5 and is classified as MEDIUM severity. Users of FundEngine wp-fundraising-donation plugin for WordPress should verify their installation and update to a patched version if necessary. The CVE record was published on 2026-07-13T10:16:34.300Z and has not been modified since.

Vendor
Roxnor
Product
FundEngine
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Users of FundEngine wp-fundraising-donation plugin for WordPress should verify their installation and update to a patched version if necessary. Administrators of WordPress installations with the plugin installed should review and adjust access control configurations to prevent exploitation.

Technical summary

The CVE-2026-57406 vulnerability has a CVSS score of 6.5 and is classified as MEDIUM severity. The vulnerability is caused by a Missing Authorization issue in the Roxnor FundEngine wp-fundraising-donation plugin. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L. The vulnerability affects FundEngine: from n/a through <= 1.7.6.

Defensive priority

Medium priority due to the potential for exploitation and the availability of patches.

Recommended defensive actions

  • Verify the version of FundEngine wp-fundraising-donation and update to a patched version if necessary.
  • Implement compensating controls to monitor and restrict access to sensitive areas of the plugin.
  • Review and adjust access control configurations to prevent exploitation.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record was published on 2026-07-13T10:16:34.300Z and has not been modified since. The NVD entry is currently Received. Limited information is available about the vulnerability, and further investigation is recommended. The vulnerability affects FundEngine wp-fundraising-donation plugin for WordPress, and users should verify their installation and update to a patched version if necessary.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T10:16:34.300Z and has not been modified since.