Charitable Blog

Everything you need to know about Charitable and our team.

Release Notes: Charitable 1.6.39 Patches a Security Vulnerability

Last updated on

  • By
Eric Daams

Earlier this week we released Charitable 1.6.39, which fixed a security vulnerability (among a few other fixes). Please update as soon as possible, if you have not already done so.

At the outset of this post, let me say that I am not aware of any sites using Charitable that would be vulnerable to this issue. We discovered this issue in-house and released a fix within a day of identifying the problem.

Who was affected?

If you are using Charitable, this vulnerability did not affect you unless:

  • You have removed some (not all) of the Charitable-specific capabilities added to the Campaign Manager or Administrator roles, or from specific users with those roles.
  • You have added some (not all) of the Charitable-specific capabilities available to the Campaign Manager/Administrator roles to another role (like Editor), or to a specific user.

Changing the capabilities assigned to a specific role or a specific user is not possible with WordPress by default, but is is possible to do it with a number of different plugins.

What was the vulnerability?

This vulnerability is specifically related to the roles and capabilities added by Charitable.

Understanding Charitable roles & capabilities

Charitable core registers two user roles, one of which is the Campaign Manager role. This role has a set of capabilities that control what Campaign Manager users are able to do.

The capabilities available to the Campaign Manager include all of the capabilities available to Editors, as well as a set of capabilities that are added by Charitable:

  • view_charitable_sensitive_data
  • export_charitable_reports
  • edit_campaign
  • read_campaign
  • delete_campaign
  • edit_campaigns
  • edit_others_campaigns
  • publish_campaigns
  • read_private_campaigns
  • delete_campaigns
  • delete_private_campaigns
  • delete_published_campaigns
  • delete_others_campaigns
  • edit_private_campaigns
  • edit_published_campaigns
  • edit_donation
  • read_donation
  • delete_donation
  • edit_donations
  • edit_others_donations
  • publish_donations
  • read_private_donations
  • delete_donations
  • delete_private_donations
  • delete_published_donations
  • delete_others_donations
  • edit_private_donations
  • edit_published_donations
  • manage_campaign_terms
  • edit_campaign_terms
  • delete_campaign_terms
  • assign_campaign_terms

Note: All of the capabilities above are also added to the Administrator role.

Who is affected by the vulnerability?

To reiterate: when a user has all or none of the permissions above, there is no problem. This will be the case for most sites using Charitable.

However, if a site is modifying which capabilities are available to specific roles or specific users, there is the potential that users are inadvertently being provided with more information than they should be able to access.

Specifically:

  • A user with the edit_campaigns capability but without the edit_private_campaigns capability could still see private campaigns on the Campaigns page, though they could not edit these.
  • A user with the edit_campaigns capability but without the edit_others_campaigns capability could still see other users’ campaigns listed on the Campaigns page, though they could not edit these.
  • A user with the edit_donations capability but without the edit_others_donations capability could see other users’ donations listed on the Donations page, with links to view or edit them, though clicking on the link would result in WordPress informing them they lacked the required permissions.
  • A user with the edit_donations capability but without the edit_others_donations capability could create new donations for other users via the admin manual donation form.
  • A user without the export_charitable_reports capability with with the edit_donations or edit_campaigns capabilities could export the Donations or Campaigns reports.
  • A user with the view_charitable_sensitive_data capability but without permissions related to managing campaign terms such as manage_campaign_terms could still access the Campaign Categories and Campaign Tags pages and create/edit/delete terms.

If you know that you have made any modifications to how capabilities are allocated to different roles or specific users in your WordPress website, update to Charitable 1.6.39 as soon as possible.

Besides the issues noted above, Charitable 1.6.39 also resolved other issues related to having modified roles or user capabilities. For example, users with the view_charitable_sensitive_data capability but without the edit_campaigns capability would see a link to the Campaigns page in the WordPress dashboard menu, but would be denied access when clicking the link. The same issue existed for the Donations page for users without the edit_donations capability.

What else changed in Charitable 1.6.39?

The security fixes related to capabilities weren’t the only changes in Charitable 1.6.39. A number of other bugs were fixed, and one minor new feature was added:

  • New feature: Add CSS classes via post_class filter to target campaigns that have/have not reached their fundraising goal, or which have/have not ended. Issue #769
  • Fix: Donation Receipt & Donation Notification didn’t send when marking a donation as paid via the Donation Actions meta box or by editing the donation. Issue #771
  • Fix: Add default background color of white to the custom donation amount field to avoid issues where themes do not provide a color for the input field. Issue #766
  • Fix: Ensure that all campaign field values are correctly populated when viewing/editing a Draft campaign in the WordPress dashboard. Issue #763

Reminder: Update now

If you haven’t already, please go ahead and update your site to use the most recent version of Charitable now.

If you notice any problems related to this update, please get in touch with us via our support form.

author avatar
Eric Daams
See Full Bio

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. We only recommend products that we believe will add value to our readers.

Leave a Reply

Your email address will not be published. Required fields are marked *

Get free tips and resources right in your inbox, along with 60,000+ others

Join our Newsletter

We won’t spam you. We only send an email when we think it will genuinely help you. Unsubscribe at any time!

Follow Us

Featured Video:

Watch more videos on our YouTube channel.

Popular Resources

Recurring Donations

Donor Management

Peer-to-Peer Fundraising

Integrations

Extensions

What's New In Charitable

🔔 Subscribe to get our latest updates
📧 Subscribe to Emails

Email Subscription

Join our Newsletter

We won’t spam you. We only send an email when we think it will genuinely help you. Unsubscribe at any time!

Integration New

Build Beautiful Fundraising Pages Visually with WPBakery Integration

We are excited to announce our brand-new integration with WPBakery, one of the most popular WordPress page builders, designed to help you create stunning layouts for your campaigns without touching a single line of code.

The Ultimate Design Experience

Designing your nonprofit’s website should be as simple as your mission is powerful. Now, you can bring Charitable functionality directly into your WPBakery workflow, using native elements to build high-converting donation pages and campaign grids in seconds.

🖱️ Drag-and-Drop Building: Easily add donation forms, campaign progress bars, and “Donate Now” buttons to your layouts using the WPBakery elements you already know and love.

🎨 Total Creative Control: Customize the look and feel of your fundraising elements using WPBakery’s native design options. Adjust margins, padding, and borders to ensure your campaigns fit perfectly with your site’s branding.

📱 Seamlessly Responsive: Every element is built to be fully responsive and mobile-friendly, ensuring your donors have a smooth, professional experience whether they are giving from a phone, tablet, or desktop.

author avatar
Eric Daams
See Full Bio
Integration New

🖼️ Add Image Galleries to Fundraising Campaigns With Envira Gallery

Showcase the impact of your mission like never before. We are excited to announce our brand-new integration with Envira Gallery, the best WordPress gallery plugin, designed to help you tell your story through powerful, high-performance visuals.

The Ultimate Storytelling Experience

A picture is worth a thousand words – and now, it’s worth even more for your fundraising. Connect your visual impact directly to your cause by creating stunning, responsive galleries that engage donors and drive contributions.

🖼️ Visual Impact: Easily create beautiful, fast-loading galleries to show your nonprofit’s work in action, from field reports to event highlights.

🔗 Seamless Connection: Link gallery images directly to your fundraising campaigns, making it effortless for inspired visitors to go from viewing a photo to making a donation.

📱 Perfectly Responsive: Whether your donors are on a phone, tablet, or desktop, your galleries will look professional and load lightning-fast, ensuring a smooth experience on every device.

author avatar
Eric Daams
See Full Bio
Integration New

👉🏻 New Divi Integration In Charitable Pro

Bring the power of Charitable directly into your favorite page builder and maintain total creative control with our brand-new Divi integration.

The Ultimate Design Experience

No more switching back and forth or relying on complex shortcodes. Use dedicated Divi modules to build, style, and launch high-converting donation pages without ever leaving the Divi Builder.

⚡ Native Divi Modules: Effortlessly drag and drop your donation forms, progress bars, and campaign details exactly where you want them.

⚙️ Visual Customization: Tweak colors, fonts, and spacing using Divi’s familiar design settings to ensure your fundraiser matches your brand perfectly.

🚀 Live Visual Editing: See your changes in real-time. What you see in the builder is exactly what your donors will see, ensuring a seamless giving experience every time.

author avatar
Eric Daams
See Full Bio
donation form New

👉🏻 New Campaign Selector For Donation Forms

Take your campaign management to the next level. Find the perfect fundraiser for any page and stay in your creative flow with our new Campaign Selector integration.

The Ultimate Selection Tool

No more hunting for IDs or creating one page for every donation form. Use the new Campaign Selector to allow users to switch to a campaign with no code.

⚡ Instant Search: Quickly find any campaign leaving your page or post.

⚙️ Editor Agnostic: Whether you’re using the Block Editor, Elementor, or WPBakery, selecting your campaigns is now a unified experience.

🚀 Real-Time Previews: See exactly which campaign you’ve selected instantly, ensuring your donors always see the right cause.

author avatar
Eric Daams
See Full Bio
Integration New

WordPress Command Palette Integration

Take your fundraising workflow to the next level. Speed up your site management and stay in your creative flow with our new WordPress Command Palette integration.

Supercharge Your Workflow
Navigate your fundraising dashboard faster than ever.

The Ultimate Keyboard Shortcut Hit Cmd + K (or Ctrl + K) to launch the Command Palette and manage your campaigns instantly.

⚡ Instant Navigation: Jump directly to your Campaigns, Donations, or Settings from anywhere in the editor.

➕ Quick Create: Start a new fundraising campaign or add a manual donation with a single command.

Efficiency Redefined
The tools you need, exactly when you need them.

⚙️ Contextual Actions: See relevant Charitable commands based on whether you’re editing a page or viewing your reports.

🚀 Seamless Integration: Built directly into the WordPress core experience for a lightweight, native feel.

author avatar
Eric Daams
See Full Bio
View All Announcements