CVE-2025-11154

Published: Oct 27, 2025Modified: Dec 5, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.5

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

The IDonate WordPress plugin before 2.1.13 does not have authorisation and CSRF when deleting users via an action handler, allowing unauthenticated attackers to delete arbitrary users.

Affected (1)

Products: Themeatelier: Idonate

Themeatelier

1 product

Idonate

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Themeatelier Idonate	Before 2.1.13

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (1)

https://wpscan.com/vulnerability/fdb9e076-4c65-4fd1-b1f6-23c23a11bdb7/

Source: contact@wpscan.com

ExploitThird Party Advisory

Timeline

No history available yet.