Attack Vectors
IDonate – Blood Donation, Request And Donor Management System (slug: idonate) versions 2.1.5 through 2.1.9 contain a High-severity vulnerability (CVSS 8.8, CVE-2025-4521) that can be exploited by any authenticated WordPress user with Subscriber-level access or higher. In practical terms, this means a low-privileged account (including an account created through normal site registration flows) can be enough to launch the attack.
The attack path involves abusing the plugin’s idonate_donor_profile() function by supplying a chosen donor_id to target another user. An attacker can reassign the victim’s email address and then trigger a standard password reset flow, enabling account takeover and subsequent privilege escalation.
Security Weakness
The root issue is missing authorization (a missing capability check) in the idonate_donor_profile() function in IDonate 2.1.5–2.1.9. Without a proper check to confirm that the requester is allowed to modify the specified profile, the function can be used to update sensitive account-related data for users other than the requester.
This is a classic access-control failure: the feature behaves as if any logged-in user is permitted to make changes that should be restricted. Because email addresses are commonly used as the identity anchor for password resets and account recovery, unauthorized email reassignment creates a direct route to take over accounts.
Technical or Business Impacts
The immediate technical impact is account takeover, followed by potential full administrator access. With administrator privileges, an attacker can alter site content, create new admin users, change payment or donation workflows, redirect traffic, or deploy additional malicious components.
For marketing directors and executives, the business risks are substantial: loss of brand trust, downtime during incident response, compromised campaign integrity (defaced landing pages or altered calls-to-action), and potential exposure of donor- or customer-related information depending on what the WordPress site stores. The incident can also trigger compliance and reporting obligations, especially if personal data is impacted.
Remediation: Update IDonate to version 2.1.0 or a newer patched version, as recommended by the source advisory. Validate that only necessary user roles have accounts on the site, review admin account lists for unexpected users, and audit recent changes if the plugin was installed during the affected version range.
Similar Attacks
Privilege escalation and account takeover via missing authorization checks are common in WordPress plugin vulnerabilities. Examples of documented, real-world cases include:
Wordfence: Essential Addons for Elementor privilege escalation vulnerability
Wordfence: InfiniteWP Admin Panel vulnerability
Wordfence: LiteSpeed Cache privilege escalation vulnerability
Recent Comments