CVE-2025-4519
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to reset passwords for any user account, including administrators. Attackers can exploit this to gain administrative privileges and take full control of affected WordPress sites. Sites using IDonate plugin versions 2.1.5 through 2.1.9 are affected.
💻 Affected Systems
- IDonate – Blood Donation, Request And Donor Management System WordPress plugin
📦 What is this software?
Idonate by Themeatelier
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover where attackers gain administrative access, install backdoors, steal sensitive data, deface the site, or use it for further attacks.
Likely Case
Attackers gain administrative privileges and compromise the WordPress installation, potentially leading to data theft, malware injection, or site defacement.
If Mitigated
With proper access controls and monitoring, impact is limited to temporary disruption until the vulnerability is patched and compromised accounts are secured.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has any valid WordPress user account.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.10
Vendor Advisory: https://wordpress.org/plugins/idonate/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find IDonate plugin and click 'Update Now'. 4. Verify plugin version shows 2.1.10 or higher.
🔧 Temporary Workarounds
Disable IDonate Plugin
allTemporarily deactivate the vulnerable plugin until patched
wp plugin deactivate idonate
Restrict User Registration
allDisable new user registration to prevent attackers from creating accounts
wp option update users_can_register 0
🧯 If You Can't Patch
- Implement strict access controls and monitor for unusual password reset activity
- Regularly audit user accounts and remove any suspicious or unnecessary accounts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins, find IDonate and verify version is between 2.1.5 and 2.1.9Check Version:
wp plugin get idonate --field=versionVerify Fix Applied:
After updating, verify IDonate plugin shows version 2.1.10 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Unusual password reset requests, especially for administrative accounts
- Multiple failed login attempts followed by successful password reset
Network Indicators:
- HTTP POST requests to WordPress admin-ajax.php or admin-post.php with idonate_donor_password action
SIEM Query:
source="wordpress.log" AND ("password reset" OR "idonate_donor_password")🔗 References
- https://plugins.trac.wordpress.org/browser/idonate/tags/2.1.9/src/Helpers/DonorFunctions.php#L410
- https://plugins.trac.wordpress.org/changeset/3334424/idonate/tags/2.1.10/src/Helpers/DonorFunctions.php?old=3279142&old_path=idonate%2Ftags%2F2.1.9%2Fsrc%2FHelpers%2FDonorFunctions.php
- https://wordpress.org/plugins/idonate/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/596aef67-582a-4506-bae9-c7be1899e47a?source=cve
