CVE-2025-4519
8.8
CVSS SCORE
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Description
The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_password() function in versions 2.1.5 to 2.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to initiate a password reset for any user (including administrators) and elevate their privileges for full site takeover.
CVSS Vector Details
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Software Configurations
- a themeatelier idonate * * * * * wordpress * *
Weaknesses (CWE)
- CWE-285
References & External Links
- https://plugins.trac.wordpress.org/browser/idonate/tags/2.1.9/src/Helpers/DonorFunctions.php#L410
- https://plugins.trac.wordpress.org/changeset/3334424/idonate/tags/2.1.10/src/Helpers/DonorFunctions.php?old=3279142&old_path=idonate%2Ftags%2F2.1.9%2Fsrc%2FHelpers%2FDonorFunctions.php
- https://wordpress.org/plugins/idonate/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/596aef67-582a-4506-bae9-c7be1899e47a?source=cve