CVE-2025-11154 – The IDonate WordPress plugin before version 2.1... (How to Fix)

📋 TL;DR

The IDonate WordPress plugin before version 2.1.13 lacks proper authorization and CSRF protection in its user deletion functionality, allowing unauthenticated attackers to delete arbitrary user accounts. This affects all WordPress sites running vulnerable versions of the IDonate plugin.

💻 Affected Systems

Products:

IDonate WordPress Plugin

Versions: All versions before 2.1.13

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the IDonate plugin installed and activated.

📦 What is this software?

Idonate by Themeatelier

View all CVEs affecting Idonate →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers delete all user accounts including administrators, causing complete loss of access and potential site takeover if backups are unavailable.

🟠

Likely Case

Attackers delete key user accounts (administrators, editors) causing operational disruption and requiring manual account restoration.

🟢

If Mitigated

No impact if plugin is patched or proper web application firewalls block the exploit attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted HTTP requests to the vulnerable endpoint without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.13

Vendor Advisory: https://wpscan.com/vulnerability/fdb9e076-4c65-4fd1-b1f6-23c23a11bdb7/

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find IDonate plugin
4. Click 'Update Now' if update is available
5. If no update appears, manually download version 2.1.13+ from WordPress repository

🔧 Temporary Workarounds

Disable IDonate Plugin

WordPress

Temporarily deactivate the vulnerable plugin until patched

wp plugin deactivate idonate

Web Application Firewall Rule

all

Block requests to the vulnerable action handler endpoint

Block HTTP POST requests containing 'action=idonate_delete_user'

🧯 If You Can't Patch

Implement strict network access controls to limit who can access the WordPress admin interface
Enable comprehensive logging and monitoring for user deletion events

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → IDonate version number

Check Version:

wp plugin get idonate --field=version

Verify Fix Applied:

Verify IDonate plugin version is 2.1.13 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual user deletion events
POST requests to /wp-admin/admin-ajax.php with action=idonate_delete_user

Network Indicators:

HTTP POST requests to admin-ajax.php with user deletion parameters from unauthenticated sources

SIEM Query:

source="wordpress.log" AND "action=idonate_delete_user"

📊 Metadata

CVE ID: CVE-2025-11154

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-352

EPSS Score: 0.03% exploit probability (6.2th percentile)

Published: October 27, 2025

Last Updated: December 5, 2025

🔗 References

https://wpscan.com/vulnerability/fdb9e076-4c65-4fd1-b1f6-23c23a11bdb7/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11154, you might also want to check these: