CVE-2025-4521
Awaiting Analysis Awaiting Analysis - Queue
Privilege Escalation in IDonate Plugin via Missing Capability Check

Publication date: 2026-02-19

Last updated on: 2026-02-19

Assigner: Wordfence

Description
The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_profile() function in versions 2.1.5 to 2.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to hijack any account by reassigning its email address (via the donor_id they supply) and then triggering a password reset, ultimately granting themselves full administrator privileges.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-19
Generated
2026-05-07
AI Q&A
2026-02-19
EPSS Evaluated
2026-05-05
NVD
CVE-2025-4521
EUVD
EUVD-2025-207866
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
idonate idonate_blood_donation_request_and_donor_management_system From 2.1.5 (inc) to 2.1.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability exists in the IDonate – Blood Donation, Request And Donor Management System plugin for WordPress, specifically in versions 2.1.5 to 2.1.9. It is a Privilege Escalation issue caused by a missing capability check in the idonate_donor_profile() function.

This flaw allows authenticated attackers who have Subscriber-level access or higher to hijack any user account by changing its email address using the donor_id parameter. After reassigning the email, the attacker can trigger a password reset, which ultimately grants them full administrator privileges.


How can this vulnerability impact me? :

This vulnerability can have severe impacts because it allows attackers with minimal access (Subscriber-level) to escalate their privileges to full administrator rights.

  • Attackers can hijack any user account by reassigning email addresses.
  • Once administrator privileges are obtained, attackers can control the entire WordPress site, including modifying content, installing malicious plugins, or stealing sensitive data.
  • This can lead to data breaches, site defacement, or complete loss of control over the website.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart