Vulnerability Description
The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_profile() function in versions 2.1.5 to 2.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to hijack any account by reassigning its email address (via the donor_id they supply) and then triggering a password reset, ultimately granting themselves full administrator privileges.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/idonate/tags/2.1.9/src/Helpers/DonorF
- https://plugins.trac.wordpress.org/changeset/3334424/idonate/tags/2.1.10/src/Hel
- https://wordpress.org/plugins/idonate/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/51d4b7f6-183b-4a8d-a94
FAQ
What is CVE-2025-4521?
CVE-2025-4521 is a vulnerability with a CVSS score of 8.8 (HIGH). The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_profile() function i...
How severe is CVE-2025-4521?
CVE-2025-4521 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-4521?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.