CVE-2025-64636 Overview
CVE-2025-64636 is an unauthenticated broken access control vulnerability affecting the Donation Thermometer WordPress plugin in versions up to and including 2.2.7. The flaw stems from missing authorization checks [CWE-862] on plugin functionality that should require authenticated privileges. Remote attackers can interact with protected functionality over the network without any credentials or user interaction. The issue carries a CVSS v3.1 base score of 5.3 with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, reflecting a limited integrity impact. The EPSS score is 0.214% (percentile 11.74), indicating low current exploitation probability.
Critical Impact
Unauthenticated remote attackers can invoke protected plugin actions on affected WordPress sites, tampering with donation-related data managed by the plugin.
Affected Products
- Donation Thermometer WordPress plugin versions <= 2.2.7
- WordPress sites running the vulnerable plugin build
- Any hosting environment exposing the affected plugin endpoints to the internet
Discovery Timeline
- 2026-06-26 - CVE-2025-64636 published to NVD
- 2026-06-26 - Last updated in NVD database
Technical Details for CVE-2025-64636
Vulnerability Analysis
CVE-2025-64636 is a broken access control weakness in the Donation Thermometer plugin. The plugin exposes functionality that modifies plugin-managed state without verifying whether the requester holds the required WordPress capability. Because the missing check applies to unauthenticated requests, an attacker does not need a valid user session, nonce, or administrative role to reach the affected code path. The CVSS vector indicates a network-reachable attack with low complexity, no privileges, no user interaction, and a limited integrity impact with no confidentiality or availability effect.
Root Cause
The root cause is a missing authorization check [CWE-862] on one or more plugin request handlers. WordPress plugins typically enforce access using current_user_can() capability checks combined with nonce validation through check_admin_referer() or wp_verify_nonce(). In the vulnerable versions, these controls are absent or insufficient, allowing anonymous callers to reach logic intended for privileged users.
Attack Vector
An attacker sends a crafted HTTP request to the vulnerable plugin endpoint on a targeted WordPress site. Because the endpoint accepts unauthenticated input and performs no authorization validation, the requested action executes with the plugin's normal privileges. The impact is limited to integrity, meaning attackers can modify plugin data such as donation goals or thermometer values. Refer to the Patchstack Vulnerability Advisory for endpoint-level technical details.
Detection Methods for CVE-2025-64636
Indicators of Compromise
- Unauthenticated POST or GET requests to Donation Thermometer plugin action handlers under /wp-admin/admin-ajax.php or /wp-admin/admin-post.php.
- Unexpected modifications to donation goal values, thermometer totals, or plugin settings without a corresponding administrator login event.
- Requests to plugin endpoints originating from IP addresses that have never authenticated to the WordPress site.
Detection Strategies
- Inspect web server access logs for requests targeting Donation Thermometer plugin action names lacking a valid Cookie: wordpress_logged_in_* header.
- Alert on WordPress options table changes tied to the plugin when no corresponding admin session is active.
- Deploy a web application firewall rule that flags anonymous POST requests to plugin AJAX actions.
Monitoring Recommendations
- Enable audit logging for WordPress option updates and plugin-managed settings, correlating changes with authenticated user IDs.
- Track the installed version of the Donation Thermometer plugin across all WordPress instances and alert on versions <= 2.2.7.
- Monitor egress and ingress traffic patterns to /wp-admin/admin-ajax.php for anomalous spikes tied to plugin-specific actions.
How to Mitigate CVE-2025-64636
Immediate Actions Required
- Update the Donation Thermometer plugin to a version above 2.2.7 as soon as a patched release becomes available from the vendor.
- If no fixed version is available, deactivate and remove the plugin until a patch is released.
- Restrict access to /wp-admin/admin-ajax.php and /wp-admin/admin-post.php using WAF rules that require authentication for plugin-specific actions.
- Review plugin-managed data such as donation goals and thermometer values for unauthorized modifications.
Patch Information
Refer to the Patchstack Vulnerability Advisory for the authoritative patch status and any vendor-supplied fixed version. Apply the update through the WordPress plugin management console once available and verify the plugin version post-update.
Workarounds
- Deactivate the Donation Thermometer plugin until a fixed release is installed.
- Deploy a virtual patch or WAF rule blocking unauthenticated requests to the affected plugin actions.
- Limit administrative endpoints such as /wp-admin/ by IP allowlist where operationally feasible.
# Example: block unauthenticated POST requests to plugin AJAX actions at the web server layer
# nginx snippet - adjust action names to match plugin handlers identified in the advisory
location = /wp-admin/admin-ajax.php {
if ($arg_action ~* "donation_thermometer_") {
if ($http_cookie !~* "wordpress_logged_in_") {
return 403;
}
}
include fastcgi_params;
fastcgi_pass php-fpm;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

