Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
IDonate Plugin for WordPress Allows Attackers to Take Over Accounts
CVE-2025-4521
Summary
The IDonate plugin for WordPress has a security issue that lets attackers take over any account on a website. This can happen if an attacker with a simple login can change the email address of another account and then trick the system into resetting that account's password. To protect your site, update the IDonate plugin to the latest version or disable it until a fix is available.
Original title
The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_profile() functio...
Original description
The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_profile() function in versions 2.1.5 to 2.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to hijack any account by reassigning its email address (via the donor_id they supply) and then triggering a password reset, ultimately granting themselves full administrator privileges.
nvd CVSS3.1
8.8
Vulnerability type
CWE-285
Improper Authorization
- https://plugins.trac.wordpress.org/browser/idonate/tags/2.1.9/src/Helpers/DonorF...
- https://plugins.trac.wordpress.org/changeset/3334424/idonate/tags/2.1.10/src/Hel...
- https://wordpress.org/plugins/idonate/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/51d4b7f6-183b-4a8d-a94...
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026