Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64636

CVE-2025-64636: Donation Thermometer Auth Bypass Flaw

CVE-2025-64636 is an authentication bypass vulnerability in Donation Thermometer plugin versions 2.2.7 and earlier that allows unauthenticated access. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-64636 Overview

CVE-2025-64636 is an unauthenticated broken access control vulnerability affecting the Donation Thermometer WordPress plugin in versions up to and including 2.2.7. The flaw stems from missing authorization checks [CWE-862] on plugin functionality that should require authenticated privileges. Remote attackers can interact with protected functionality over the network without any credentials or user interaction. The issue carries a CVSS v3.1 base score of 5.3 with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, reflecting a limited integrity impact. The EPSS score is 0.214% (percentile 11.74), indicating low current exploitation probability.

Critical Impact

Unauthenticated remote attackers can invoke protected plugin actions on affected WordPress sites, tampering with donation-related data managed by the plugin.

Affected Products

  • Donation Thermometer WordPress plugin versions <= 2.2.7
  • WordPress sites running the vulnerable plugin build
  • Any hosting environment exposing the affected plugin endpoints to the internet

Discovery Timeline

  • 2026-06-26 - CVE-2025-64636 published to NVD
  • 2026-06-26 - Last updated in NVD database

Technical Details for CVE-2025-64636

Vulnerability Analysis

CVE-2025-64636 is a broken access control weakness in the Donation Thermometer plugin. The plugin exposes functionality that modifies plugin-managed state without verifying whether the requester holds the required WordPress capability. Because the missing check applies to unauthenticated requests, an attacker does not need a valid user session, nonce, or administrative role to reach the affected code path. The CVSS vector indicates a network-reachable attack with low complexity, no privileges, no user interaction, and a limited integrity impact with no confidentiality or availability effect.

Root Cause

The root cause is a missing authorization check [CWE-862] on one or more plugin request handlers. WordPress plugins typically enforce access using current_user_can() capability checks combined with nonce validation through check_admin_referer() or wp_verify_nonce(). In the vulnerable versions, these controls are absent or insufficient, allowing anonymous callers to reach logic intended for privileged users.

Attack Vector

An attacker sends a crafted HTTP request to the vulnerable plugin endpoint on a targeted WordPress site. Because the endpoint accepts unauthenticated input and performs no authorization validation, the requested action executes with the plugin's normal privileges. The impact is limited to integrity, meaning attackers can modify plugin data such as donation goals or thermometer values. Refer to the Patchstack Vulnerability Advisory for endpoint-level technical details.

Detection Methods for CVE-2025-64636

Indicators of Compromise

  • Unauthenticated POST or GET requests to Donation Thermometer plugin action handlers under /wp-admin/admin-ajax.php or /wp-admin/admin-post.php.
  • Unexpected modifications to donation goal values, thermometer totals, or plugin settings without a corresponding administrator login event.
  • Requests to plugin endpoints originating from IP addresses that have never authenticated to the WordPress site.

Detection Strategies

  • Inspect web server access logs for requests targeting Donation Thermometer plugin action names lacking a valid Cookie: wordpress_logged_in_* header.
  • Alert on WordPress options table changes tied to the plugin when no corresponding admin session is active.
  • Deploy a web application firewall rule that flags anonymous POST requests to plugin AJAX actions.

Monitoring Recommendations

  • Enable audit logging for WordPress option updates and plugin-managed settings, correlating changes with authenticated user IDs.
  • Track the installed version of the Donation Thermometer plugin across all WordPress instances and alert on versions <= 2.2.7.
  • Monitor egress and ingress traffic patterns to /wp-admin/admin-ajax.php for anomalous spikes tied to plugin-specific actions.

How to Mitigate CVE-2025-64636

Immediate Actions Required

  • Update the Donation Thermometer plugin to a version above 2.2.7 as soon as a patched release becomes available from the vendor.
  • If no fixed version is available, deactivate and remove the plugin until a patch is released.
  • Restrict access to /wp-admin/admin-ajax.php and /wp-admin/admin-post.php using WAF rules that require authentication for plugin-specific actions.
  • Review plugin-managed data such as donation goals and thermometer values for unauthorized modifications.

Patch Information

Refer to the Patchstack Vulnerability Advisory for the authoritative patch status and any vendor-supplied fixed version. Apply the update through the WordPress plugin management console once available and verify the plugin version post-update.

Workarounds

  • Deactivate the Donation Thermometer plugin until a fixed release is installed.
  • Deploy a virtual patch or WAF rule blocking unauthenticated requests to the affected plugin actions.
  • Limit administrative endpoints such as /wp-admin/ by IP allowlist where operationally feasible.
bash
# Example: block unauthenticated POST requests to plugin AJAX actions at the web server layer
# nginx snippet - adjust action names to match plugin handlers identified in the advisory
location = /wp-admin/admin-ajax.php {
    if ($arg_action ~* "donation_thermometer_") {
        if ($http_cookie !~* "wordpress_logged_in_") {
            return 403;
        }
    }
    include fastcgi_params;
    fastcgi_pass php-fpm;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.