Description: Donation Forms by Charitable <= – Unauthenticated Privilege Escalation   
Affected Plugin: Charitable – Donations Plugin & Fundraising Platform for WordPress  
Plugin Slug: charitable  
Affected Versions: <=  
CVE ID: CVE-2023-4404  
CVSS Score: 9.8 (Critical)  
CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
Researcher/s: Lana Codes   
Fully Patched Version:  
The Charitable plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, due to insufficient restriction on the ‘update_core_user’ function. This makes it possible for unauthenticated attackers to specify their user role by supplying the ‘role’ parameter during a registration.  
Technical Analysis  
Charitable is a plugin that makes it possible to create donation forms and fundraising campaigns in WordPress.  
The plugin provides a shortcode ([charitable_registration]) for a custom registration form. However, insecure implementation of the plugin’s registration functionality allows users to specify arbitrary parameters when creating an account. Examining the code reveals that there is no predefined list of user parameters, nor a ban list of dangerous parameters. This makes it possible to register an administrator user by supplying the ‘role’ parameter, with the value of the role they would like assigned to their account, such as ‘administrator’.  
The update_core_user method in the Charitable_User class  
As with any Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.  
Disclosure Timeline  
August 10, 2023 – Discovery of the Privilege Escalation vulnerability in Charitable.  
August 10, 2023 – We tried to initiate contact with the plugin vendor via email asking that they confirm the inbox for handling the discussion.  
August 10, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.  
August 16, 2023 – Since we didn’t get a response to the email contact, we tried to contact the plugin vendor via contact form asking that they confirm the inbox for handling the discussion.  
August 16, 2023 – The vendor confirms the inbox for handling the discussion.  
August 16, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.  
August 17, 2023 – A fully patched version of the plugin,, is released.  
September 9, 2023 – Wordfence Free users receive the same protection.  
In this blog post, we detailed a Privilege Escalation vulnerability within the Charitable plugin affecting versions and earlier. This vulnerability allows unauthenticated threat actors to elevate their privileges to those of a site administrator which could ultimately lead to complete site compromise. The vulnerability has been fully addressed in version of the plugin.  
We encourage WordPress users to verify that their sites are updated to the latest patched version of Charitable.  
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on August 10, 2023. Sites still using the free version of Wordfence will receive the same protection on September 9, 2023.  
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.  
For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.