CVE-2025-4521
📋 TL;DR
This vulnerability in the IDonate WordPress plugin allows authenticated attackers with Subscriber-level access or higher to escalate privileges to administrator by hijacking any account. Attackers can reassign email addresses to donor accounts they control, then trigger password resets to gain full administrative control. WordPress sites running vulnerable plugin versions are affected.
💻 Affected Systems
- IDonate – Blood Donation, Request And Donor Management System WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover where attackers gain administrator privileges, install backdoors, steal sensitive donor data, deface the site, or use it for further attacks.
Likely Case
Attackers gain administrator access to compromise the WordPress site, potentially accessing sensitive donor information and using the site for malicious purposes.
If Mitigated
Limited impact if proper access controls, monitoring, and network segmentation are in place to detect and contain privilege escalation attempts.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has any valid WordPress user account.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.10
Vendor Advisory: https://wordpress.org/plugins/idonate/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find IDonate plugin and click 'Update Now'. 4. Verify version shows 2.1.10 or higher.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the IDonate plugin until patched
wp plugin deactivate idonate
Restrict user registration
allDisable new user registration to prevent attackers from creating accounts
🧯 If You Can't Patch
- Implement strict access controls and monitor for suspicious user role changes
- Use web application firewall rules to block requests to vulnerable plugin endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins, find IDonate and verify version is between 2.1.5 and 2.1.9Check Version:
wp plugin get idonate --field=versionVerify Fix Applied:
After updating, confirm IDonate plugin version shows 2.1.10 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Unusual user role changes from Subscriber to Administrator
- Multiple password reset requests for different accounts
- Access to /wp-admin/admin-ajax.php with idonate_donor_profile action
Network Indicators:
- POST requests to admin-ajax.php with donor_id parameter manipulation
SIEM Query:
source="wordpress.log" AND ("role changed" OR "password reset" OR "idonate_donor_profile")🔗 References
- https://plugins.trac.wordpress.org/browser/idonate/tags/2.1.9/src/Helpers/DonorFunctions.php#L310
- https://plugins.trac.wordpress.org/changeset/3334424/idonate/tags/2.1.10/src/Helpers/DonorFunctions.php?old=3279142&old_path=idonate%2Ftags%2F2.1.9%2Fsrc%2FHelpers%2FDonorFunctions.php
- https://wordpress.org/plugins/idonate/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/51d4b7f6-183b-4a8d-a94d-83c66950a872?source=cve
