CVE-2025-4522
BaseFortify
Publication date: 2025-11-07
Last updated on: 2025-12-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| themeatelier | idonate | From 2.0.0 (inc) to 2.1.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the IDonate β Blood Donation, Request And Donor Management System plugin for WordPress, specifically in versions 2.0.0 to 2.1.9. It is an Insecure Direct Object Reference (IDOR) issue in the admin_post_donor_delete() function. Authenticated attackers with Subscriber-level access or higher can exploit this by supplying an arbitrary user_id parameter to the wp_delete_user() function, allowing them to delete arbitrary user accounts, including administrator accounts.
How can this vulnerability impact me? :
This vulnerability can allow attackers with low-level access (Subscriber-level) to delete any user account on the WordPress site, including administrator accounts. This can lead to loss of administrative control, disruption of service, and potential unauthorized changes to the website.