The Donation Button WordPress plugin through 4.0.0 does not properly check for privileges and nonce tokens in its “donation_button_twilio_send_test_sms” AJAX action, which may allow any users with an account on the affected site, like subscribers, to use the plugin’s Twilio integration to send SMSes to arbitrary phone numbers.
[
{
"vendor": "Unknown",
"product": "Donation Button",
"collectionURL": "https://wordpress.org/plugins",
"versions": [
{
"status": "affected",
"versionType": "custom",
"version": "0",
"lessThanOrEqual": "4.0.0"
}
],
"defaultStatus": "affected"
}
]