The Donation Button WordPress plugin through 4.0.0 does not properly check for privileges and nonce tokens in its donation_button_twilio_send_test_sms AJAX action, which may allow any users with an account on the affected site, like subscribers, to use the plugins Twilio integration to send SMSes to arbitrary phone numbers.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Donation_button | Donation_button_project | * | 4.0.0 (including) |