{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39691", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:58:10.483Z", "datePublished": "2026-04-08T08:30:44.797Z", "dateUpdated": "2026-04-08T08:30:44.797Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "cryptocurrency-donation-box", "product": "Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations", "vendor": "AdAstraCrypto", "versions": [{"lessThanOrEqual": "2.2.13", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:43.645Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in AdAstraCrypto Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations cryptocurrency-donation-box allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations: from n/a through <= 2.2.13.</p>"}], "value": "Missing Authorization vulnerability in AdAstraCrypto Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations cryptocurrency-donation-box allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations: from n/a through <= 2.2.13."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:44.797Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/cryptocurrency-donation-box/vulnerability/wordpress-cryptocurrency-donation-box-bitcoin-crypto-donations-plugin-2-2-13-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations plugin <= 2.2.13 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in AdAstraCrypto Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations cryptocurrency-donation-box allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations: from n/a through <= 2.2.13."}], "id": "CVE-2026-39691", "lastModified": "2026-04-08T21:26:13.410", "metrics": {}, "published": "2026-04-08T09:16:41.370", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/cryptocurrency-donation-box/vulnerability/wordpress-cryptocurrency-donation-box-bitcoin-crypto-donations-plugin-2-2-13-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.2.13]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations", "source": "cna", "vendor": "AdAstraCrypto"}, "product": "cryptocurrency_donation_box_\u2013_bitcoin_&_crypto_donations", "vendor": "adastracrypto"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:44:51.429515+00:00", "value": {"mitigation_remediation": ["Upgrade the Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations plugin to a version newer than 2.2.13.", "If an upgrade is not immediately possible, deactivate the plugin until a patch is released.", "Restrict access to all WordPress admin pages and plugin settings so that only users with the administrator role can modify them, using role\u2011based access controls.", "Review and tighten permissions on files containing the plugin to prevent unauthorized file modifications.", "Perform periodic security scans of the site to detect missing authorization checks in WordPress plugins."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "All installations of the AdAstraCrypto Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations plugin from the earliest released version through version 2.2.13 are affected. The plugin is a WordPress add\u2011on that provides a donation box for cryptocurrency tips.", "description_and_impact": "The vulnerability is a missing authorization flaw in the AdAstraCrypto Cryptocurrency Donation Box \u2013 Bitcoin & Crypto Donations plugin. Because access checks are absent on the plugin\u2019s administration interfaces, a non\u2011administrator user can view or alter the plugin\u2019s configuration, potentially changing donation parameters or exposing donor information. This broken access control enables unauthorized manipulation of the plugin\u2019s data and settings.", "risk_and_exploitability": "No CVSS score is provided, but the nature of the missing authorization condition makes the flaw high\u2011impact. An attacker can exploit it by making unauthenticated HTTP requests to the plugin\u2019s management URLs, which do not enforce proper role checks. The EPSS score is not available and the vulnerability is not listed in CISA\u2019s KEV catalog, indicating that widespread exploitation has not yet been documented. The attack vector is inferred to be via the plugin\u2019s admin endpoints due to the description of incorrect access control."}}}}, "created": "2026-04-08T19:27:44.376597+00:00", "updated": "2026-04-08T19:40:29.252969+00:00", "vendors": ["adastracrypto", "adastracrypto$PRODUCT$cryptocurrency_donation_box_\u2013_bitcoin_&_crypto_donations", "wordpress", "wordpress$PRODUCT$wordpress"]}