Attack Vectors

CVE-2026-24960 is a High severity vulnerability (CVSS 8.8) affecting the Charety – Charity & Donation WordPress Theme (slug: charety) in versions prior to 2.0.2. The issue allows an attacker with an authenticated WordPress account (including Subscriber and above) to upload arbitrary files to the server.

From a business-risk perspective, the most common real-world pathway is not an unknown “hacker” magically logging in—it’s an attacker using a low-privilege account obtained through password reuse, credential stuffing, phishing, or a previously leaked user database. Once they can log in at Subscriber level, they may be able to upload files that should never be accepted by the site.

Security Weakness

The core weakness is missing file type validation in the theme’s upload functionality (in all versions up to 2.0.2, exclusive). In practical terms, the site may accept files that should be blocked (for example, files that could be executed by the server), instead of restricting uploads to safe formats.

This matters because file upload controls often exist to support legitimate marketing and fundraising activities (images, documents, campaign assets). When validation is incomplete or absent, that same workflow can be abused to place unauthorized files on your web server—potentially enabling follow-on actions that are far more damaging than a simple “bad upload.”

Remediation: Update Charety to version 2.0.2 or newer (patched). Track the CVE record here: https://www.cve.org/CVERecord?id=CVE-2026-24960. Reference advisory source: Wordfence vulnerability entry.

Technical or Business Impacts

If exploited, this vulnerability can enable an attacker to upload arbitrary files to your server and may make remote code execution possible. That is a high-impact outcome that can quickly turn a marketing website into an incident affecting operations, finance, and compliance.

Potential business impacts include:

Website takeover and downtime: Attackers may deface pages, redirect donation traffic, or disrupt campaigns—directly affecting fundraising and brand trust.

Data exposure risk: A compromised site can become a stepping stone to access sensitive data (donor information, contact records, internal emails), increasing regulatory and contractual exposure.

Financial fraud and reputational damage: Charity and donation sites are attractive targets for payment redirection, fake donation forms, and malicious redirects. Even a short-lived compromise can trigger donor complaints, chargebacks, and brand harm.

Compliance and incident-response costs: You may face notification obligations, forensic investigation costs, emergency IT spend, and increased scrutiny from partners, payment providers, or auditors.

Similar attacks (real examples):

Elementor Pro vulnerabilities (Wordfence)
File Manager plugin critical file upload/RCE incident (Wordfence)
WP File Manager mass exploitation coverage (Wordfence)