CVE-2025-10186: 
WordPress vulnerability analysis and mitigation

The WhyDonate WordPress plugin (versions up to 4.0.14) contains a security vulnerability identified as CVE-2025-10186. The vulnerability was discovered and disclosed on October 15, 2025, affecting the FREE Donate button – Crowdfunding – Fundraising plugin for WordPress. This security issue stems from a missing capability check in the remove_row function, which affects the plugin's data handling capabilities (NVD).

The vulnerability is classified with a CVSS v3.1 base score of 5.3 (Medium severity) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The technical issue involves a missing authorization check (CWE-862) in the removerow function, which allows unauthorized access to delete data from the wpwdplugin_style table (Wordfence).

The vulnerability allows unauthenticated attackers to delete rows from the wpwdpluginstyle table, potentially causing unauthorized loss of data. This can affect the plugin's functionality and compromise the integrity of the donation system's styling configuration (NVD).

Users should upgrade to version 4.0.15 or later of the WhyDonate plugin, which contains security fixes. The vulnerability was addressed in subsequent releases after version 4.0.14 (WordPress Plugin).