A vulnerability labeled as critical has been found in smub Charitable Plugin up to 1.8.11.1 on WordPress. This affects the function save_avatar . The manipulation results in authorization bypass. This vulnerability is identified as CVE-2026-10038 . The attack can be executed remotely. There is not any exploit available. The affected component should be upgraded.