Charitable Blog

Everything you need to know about Charitable and our team.

Release Notes: Charitable 1.6.39 Patches a Security Vulnerability

Last updated on

  • By
Eric Daams

Earlier this week we released Charitable 1.6.39, which fixed a security vulnerability (among a few other fixes). Please update as soon as possible, if you have not already done so.

At the outset of this post, let me say that I am not aware of any sites using Charitable that would be vulnerable to this issue. We discovered this issue in-house and released a fix within a day of identifying the problem.

Who was affected?

If you are using Charitable, this vulnerability did not affect you unless:

  • You have removed some (not all) of the Charitable-specific capabilities added to the Campaign Manager or Administrator roles, or from specific users with those roles.
  • You have added some (not all) of the Charitable-specific capabilities available to the Campaign Manager/Administrator roles to another role (like Editor), or to a specific user.

Changing the capabilities assigned to a specific role or a specific user is not possible with WordPress by default, but is is possible to do it with a number of different plugins.

What was the vulnerability?

This vulnerability is specifically related to the roles and capabilities added by Charitable.

Understanding Charitable roles & capabilities

Charitable core registers two user roles, one of which is the Campaign Manager role. This role has a set of capabilities that control what Campaign Manager users are able to do.

The capabilities available to the Campaign Manager include all of the capabilities available to Editors, as well as a set of capabilities that are added by Charitable:

  • view_charitable_sensitive_data
  • export_charitable_reports
  • edit_campaign
  • read_campaign
  • delete_campaign
  • edit_campaigns
  • edit_others_campaigns
  • publish_campaigns
  • read_private_campaigns
  • delete_campaigns
  • delete_private_campaigns
  • delete_published_campaigns
  • delete_others_campaigns
  • edit_private_campaigns
  • edit_published_campaigns
  • edit_donation
  • read_donation
  • delete_donation
  • edit_donations
  • edit_others_donations
  • publish_donations
  • read_private_donations
  • delete_donations
  • delete_private_donations
  • delete_published_donations
  • delete_others_donations
  • edit_private_donations
  • edit_published_donations
  • manage_campaign_terms
  • edit_campaign_terms
  • delete_campaign_terms
  • assign_campaign_terms

Note: All of the capabilities above are also added to the Administrator role.

Who is affected by the vulnerability?

To reiterate: when a user has all or none of the permissions above, there is no problem. This will be the case for most sites using Charitable.

However, if a site is modifying which capabilities are available to specific roles or specific users, there is the potential that users are inadvertently being provided with more information than they should be able to access.

Specifically:

  • A user with the edit_campaigns capability but without the edit_private_campaigns capability could still see private campaigns on the Campaigns page, though they could not edit these.
  • A user with the edit_campaigns capability but without the edit_others_campaigns capability could still see other users’ campaigns listed on the Campaigns page, though they could not edit these.
  • A user with the edit_donations capability but without the edit_others_donations capability could see other users’ donations listed on the Donations page, with links to view or edit them, though clicking on the link would result in WordPress informing them they lacked the required permissions.
  • A user with the edit_donations capability but without the edit_others_donations capability could create new donations for other users via the admin manual donation form.
  • A user without the export_charitable_reports capability with with the edit_donations or edit_campaigns capabilities could export the Donations or Campaigns reports.
  • A user with the view_charitable_sensitive_data capability but without permissions related to managing campaign terms such as manage_campaign_terms could still access the Campaign Categories and Campaign Tags pages and create/edit/delete terms.

If you know that you have made any modifications to how capabilities are allocated to different roles or specific users in your WordPress website, update to Charitable 1.6.39 as soon as possible.

Besides the issues noted above, Charitable 1.6.39 also resolved other issues related to having modified roles or user capabilities. For example, users with the view_charitable_sensitive_data capability but without the edit_campaigns capability would see a link to the Campaigns page in the WordPress dashboard menu, but would be denied access when clicking the link. The same issue existed for the Donations page for users without the edit_donations capability.

What else changed in Charitable 1.6.39?

The security fixes related to capabilities weren’t the only changes in Charitable 1.6.39. A number of other bugs were fixed, and one minor new feature was added:

  • New feature: Add CSS classes via post_class filter to target campaigns that have/have not reached their fundraising goal, or which have/have not ended. Issue #769
  • Fix: Donation Receipt & Donation Notification didn’t send when marking a donation as paid via the Donation Actions meta box or by editing the donation. Issue #771
  • Fix: Add default background color of white to the custom donation amount field to avoid issues where themes do not provide a color for the input field. Issue #766
  • Fix: Ensure that all campaign field values are correctly populated when viewing/editing a Draft campaign in the WordPress dashboard. Issue #763

Reminder: Update now

If you haven’t already, please go ahead and update your site to use the most recent version of Charitable now.

If you notice any problems related to this update, please get in touch with us via our support form.

author avatar
Eric Daams
See Full Bio

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. We only recommend products that we believe will add value to our readers.

Leave a Reply

Your email address will not be published. Required fields are marked *

Get free tips and resources right in your inbox, along with 60,000+ others

Join our Newsletter

We won’t spam you. We only send an email when we think it will genuinely help you. Unsubscribe at any time!

Follow Us

Featured Video:

Watch more videos on our YouTube channel.

Popular Resources

Recurring Donations

Donor Management

Peer-to-Peer Fundraising

Integrations

Extensions

What's New In Charitable

🔔 Subscribe to get our latest updates
📧 Subscribe to Emails

Email Subscription

Join our Newsletter

We won’t spam you. We only send an email when we think it will genuinely help you. Unsubscribe at any time!

donation form Donations New

💵 Mini Donation Widget: Show The Impact Of Every Dollar!

Not every donor who wants to give will navigate to your campaign page. Meet them exactly where they are by placing a fully functional giving experience directly on any page or post.

💬 Show the impact of every dollar: Attach custom messages to each preset amount so donors understand exactly what their gift provides.
🔄 Monthly and one-time giving: Supports a tabbed interface with independent amounts and impact statements for recurring giving programs.
🎨 Match your brand: Easily set accent colors and control size or alignment to fit the widget naturally into your layout without CSS.
⚡ Reduce donor friction: Open the donation form in a modal overlay to keep donors on the page and reduce drop-off.

author avatar
Eric Daams
See Full Bio
Donations Live New

👉🏻 Showcase Real Momentum with the Donations Feed

Give your donors a reason to trust. Our new feed lets you display a living, breathing record of people showing up for your cause.

🤝 Build instant trust: Overcome donor hesitation by showing a proven track record of community support.
💬 Highlight donor stories: Display real donor comments and locations to show the human side of your fundraising.
🛠️ Drop it anywhere: Easily add the block to your homepage, campaign pages, or confirmation screens in seconds.
📈 Curate your feed: Group multiple donations from the same person or sort by highest amounts to encourage larger gifts.

author avatar
Eric Daams
See Full Bio
Campaigns New

🎨 Campaign Showcase: Pro Level Display, No Coding Needed.

Display your causes with style and make it easier than ever for donors to find the right campaign. We are excited to announce the brand-new Campaign Showcase, a powerful, no-code tool designed to help you create beautiful, high-converting campaign grids and carousels.

The Ultimate Discovery Experience

Your mission deserves to be seen. With the Campaign Showcase, you can move beyond simple lists and create dynamic displays that highlight your most urgent needs, helping donors connect with the causes they care about most.

⚡ No-Code Customization: Effortlessly change layouts, columns, and styles with a single click. Whether you want a clean grid or an interactive carousel, you can match your organization’s look without any CSS or JavaScript.

🎯 Advanced Search & Filter: Empower your supporters with real-time filtering. Donors can quickly sort through campaigns by tags, popularity, or “ending soon,” making it easy to find exactly where their help is needed.

💰 Quick Donate Integration: Boost your conversions with instant giving. The Showcase allows donors to contribute via a modal popup directly from the display, featuring pre-selected amounts for a faster, friction-free experience.

author avatar
Eric Daams
See Full Bio
Addon New

🤯 New Addon: Campaign Updates

Keep your supporters informed and engaged with every step of your progress! Share the ongoing impact of your mission and build lasting trust with your donor community!

The Ultimate Engagement Tool

Fundraising is a journey, not a one-time event. Now, you can easily provide real-time updates directly on your campaign pages, ensuring your donors stay connected to the causes they care about most.

📣 Easy Storytelling: Quickly post text updates, milestones, or field reports to show exactly how donations are being put to work, keeping the momentum alive throughout your fundraiser.

🏗️ Visual Builder Integration: Seamlessly add the Updates block anywhere on your page using our drag-and-drop builder, or use a simple shortcode to display news in widgets and sidebars.

📩 Build Donor Trust: By consistently sharing progress and success stories, you create a transparent giving experience that encourages recurring support and deeper community involvement.

author avatar
Eric Daams
See Full Bio
Integration New

Build Beautiful Fundraising Pages Visually with WPBakery Integration

We are excited to announce our brand-new integration with WPBakery, one of the most popular WordPress page builders, designed to help you create stunning layouts for your campaigns without touching a single line of code.

The Ultimate Design Experience

Designing your nonprofit’s website should be as simple as your mission is powerful. Now, you can bring Charitable functionality directly into your WPBakery workflow, using native elements to build high-converting donation pages and campaign grids in seconds.

🖱️ Drag-and-Drop Building: Easily add donation forms, campaign progress bars, and “Donate Now” buttons to your layouts using the WPBakery elements you already know and love.

🎨 Total Creative Control: Customize the look and feel of your fundraising elements using WPBakery’s native design options. Adjust margins, padding, and borders to ensure your campaigns fit perfectly with your site’s branding.

📱 Seamlessly Responsive: Every element is built to be fully responsive and mobile-friendly, ensuring your donors have a smooth, professional experience whether they are giving from a phone, tablet, or desktop.

author avatar
Eric Daams
See Full Bio
View All Announcements