via wordfence.com => original post link
On August 10, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a Privilege Escalation vulnerability in the Donation Forms by Charitable plugin, which is actively installed on more than 10,000 WordPress websites. This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by supplying a role during a registration.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on August 10, 2023. Sites still using the free version of Wordfence will receive the same protection on September 9, 2023.
We contacted WP Charitable Team via email on August 10, 2023, but we didn’t get a response. Next, we tried to contact them via a contact form on their site on August 16, 2023, and we received a response on the same day. After providing full disclosure details, the developer released a patch on August 17, 2023. We would like to commend the WP Charitable Team for their prompt response and timely patch, which was released in just one day.