CVE-2026-10038 smub CVE debrief

Who should care

Users of the Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin, particularly those with versions up to and including 1.8.11.1, should be aware of this vulnerability. Successful exploitation requires authenticated access at the Subscriber level or higher.

Technical summary

The vulnerability arises from the save_avatar() function in Charitable_Profile_Form calling wp_delete_attachment() on an attachment ID read from the user's 'avatar' meta without validating that the attachment is owned by the user. Additionally, Charitable_Data_Processor::process_picture() returns the raw posted value when no file is uploaded, allowing the 'avatar' user meta to be poisoned with any attacker-chosen attachment ID.

Defensive priority

MEDIUM

Recommended defensive actions

• Update to a patched version of the Charitable plugin if available.
• Restrict access to the Media Library and attachment management for users with Subscriber-level access and above.
• Monitor Media Library for unauthorized changes.

Evidence notes

Evidence from Wordfence indicates that this vulnerability can be exploited through a two-request chain, allowing for arbitrary attachment deletion.

Official resources