CVE-2025-4521

Awaiting Analysis Awaiting Analysis - Queue

Privilege Escalation in IDonate Plugin via Missing Capability Check

Publication date: 2026-02-19

Last updated on: 2026-02-19

Assigner: Wordfence

Description

The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_profile() function in versions 2.1.5 to 2.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to hijack any account by reassigning its email address (via the donor_id they supply) and then triggering a password reset, ultimately granting themselves full administrator privileges.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-02-19

Last Modified

2026-02-19

Generated

2026-06-16

AI Q&A

2026-02-19

EPSS Evaluated

2026-06-15

NVD

CVE-2025-4521

EUVD

EUVD-2025-207866

Affected Vendors & Products

Vendor	Product	Version / Range
idonate	idonate_blood_donation_request_and_donor_management_system	From 2.1.5 (inc) to 2.1.9 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-285	The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

Executive Summary

The vulnerability exists in the IDonate – Blood Donation, Request And Donor Management System plugin for WordPress, specifically in versions 2.1.5 to 2.1.9. It is a Privilege Escalation issue caused by a missing capability check in the idonate_donor_profile() function.

This flaw allows authenticated attackers who have Subscriber-level access or higher to hijack any user account by changing its email address using the donor_id parameter. After reassigning the email, the attacker can trigger a password reset, which ultimately grants them full administrator privileges.

Impact Analysis

This vulnerability can have severe impacts because it allows attackers with minimal access (Subscriber-level) to escalate their privileges to full administrator rights.

Attackers can hijack any user account by reassigning email addresses.
Once administrator privileges are obtained, attackers can control the entire WordPress site, including modifying content, installing malicious plugins, or stealing sensitive data.
This can lead to data breaches, site defacement, or complete loss of control over the website.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Hi! I’m here to help you understand CVE-2025-4521. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2025-4521

Privilege Escalation in IDonate Plugin via Missing Capability Check

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart