CVE-2024-8791 — AI Deep Analysis Summary

🚨 **Essence**: A critical privilege escalation flaw in the 'Donation Forms by Charitable' plugin. 📉 **Consequences**: Attackers can gain full control over the WordPress site, compromising data integrity and availability.

🛡️ **Root Cause**: CWE-639 (Authorization Bypass through User-Controlled Key). The plugin fails to properly verify user permissions before executing sensitive actions.

🏢 **Affected**: WordPress sites using 'Charitable – Donation Plugin'. 📅 **Version**: 1.8.1.14 and all earlier versions. ⚠️ **Vendor**: smub.

💀 **Impact**: High severity (CVSS 9.8). Hackers can escalate privileges to Admin level. 🔓 **Access**: Full read/write access to all site data, users, and configurations.

🔓 **Threshold**: LOW. CVSS indicates 'AV:N' (Network), 'AC:L' (Low Complexity), 'PR:N' (No Privileges Required). No authentication needed to exploit.

🔍 **Exploit Status**: No public PoC or Wild Exploit listed in the data. However, the vulnerability details are public, making it ripe for future exploitation.

🔎 **Self-Check**: Scan for 'Charitable' plugin version. Check if version is ≤ 1.8.1.14. Look for unauthorized admin actions in donation user management logs.

✅ **Fix**: Yes. The vendor has released a fix in the latest version. Update the plugin immediately via the WordPress dashboard or manual replacement.

🚧 **No Patch?**: Disable the 'Donation Forms by Charitable' plugin entirely if updating is not possible. Restrict access to wp-admin via IP whitelisting.

🔥 **Urgency**: CRITICAL. With CVSS 9.8 and no auth required, patch immediately. This is a 'zero-day' style risk for unpatched sites.