CVE-2025-4522
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to delete arbitrary user accounts, including administrators, by exploiting an Insecure Direct Object Reference flaw in the IDonate plugin. It affects WordPress sites running the IDonate plugin versions 2.0.0 through 2.1.9. Attackers can abuse this to disrupt site operations or gain unauthorized control.
💻 Affected Systems
- WordPress IDonate – Blood Donation, Request And Donor Management System plugin
📦 What is this software?
Idonate by Themeatelier
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover by deleting all administrator accounts, rendering the site unmanageable and potentially allowing attacker persistence.
Likely Case
Disruption of site operations through deletion of key user accounts, leading to service downtime and administrative overhead.
If Mitigated
Limited impact if proper access controls and monitoring are in place, with quick detection and remediation.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via crafted HTTP requests to the vulnerable function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.10
Vendor Advisory: https://wordpress.org/plugins/idonate/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'IDonate – Blood Donation, Request And Donor Management System'. 4. Click 'Update Now' if available, or manually update to version 2.1.10. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Disable IDonate Plugin
allTemporarily deactivate the vulnerable plugin to prevent exploitation until patching is possible.
wp plugin deactivate idonate
Restrict User Registration
allLimit new user registrations to reduce attack surface from low-privileged accounts.
Set WordPress Settings > General > Membership to 'Anyone can register' = unchecked
🧯 If You Can't Patch
- Implement strict access controls and monitoring for user deletion actions in WordPress logs.
- Use a web application firewall (WAF) to block suspicious requests targeting the admin_post_donor_delete function.
🔍 How to Verify
Check if Vulnerable:
Check the plugin version in WordPress admin under Plugins > Installed Plugins. If version is between 2.0.0 and 2.1.9 inclusive, the site is vulnerable.Check Version:
wp plugin get idonate --field=versionVerify Fix Applied:
Confirm the plugin version is 2.1.10 or higher after update. Test user deletion functionality with non-admin accounts to ensure proper authorization checks.📡 Detection & Monitoring
Log Indicators:
- Unusual user deletion events in WordPress logs, especially from low-privileged accounts.
- HTTP POST requests to wp-admin/admin-post.php with action=donor_delete and unexpected user_id parameters.
Network Indicators:
- Spikes in POST requests to admin-post.php endpoint from authenticated sessions.
SIEM Query:
source="wordpress.log" AND "admin_post_donor_delete" AND "user_id" NOT user_role="administrator"🔗 References
- https://plugins.trac.wordpress.org/browser/idonate/tags/2.1.9/src/Admin/Admin.php#L75
- https://plugins.trac.wordpress.org/browser/idonate/tags/2.1.9/src/Helpers/DonorFunctions.php#L658
- https://plugins.trac.wordpress.org/changeset/3334424/idonate/tags/2.1.10/src/Helpers/DonorFunctions.php?old=3279142&old_path=idonate%2Ftags%2F2.1.9%2Fsrc%2FHelpers%2FDonorFunctions.php
- https://wordpress.org/plugins/idonate/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/bb0625ec-5ac9-4896-ac11-87fc9287f68a?source=cve
