CVE-2025-4523

Published: Aug 1, 2025Modified: Dec 5, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the admin_donor_profile_view() function in versions 2.0.0 to 2.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to expose an administrator’s username, email address, and all donor fields.

Affected (1)

Products: Themeatelier: Idonate

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Themeatelier Idonate	From 2.0.0 to 2.1.10

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (5)

https://plugins.trac.wordpress.org/browser/idonate/tags/2.1.9/src/Admin/Admin.php#L76

Source: security@wordfence.com

Product

https://plugins.trac.wordpress.org/browser/idonate/tags/2.1.9/src/Helpers/IDonateAjaxHandler.php#L48

Source: security@wordfence.com

Product

https://plugins.trac.wordpress.org/changeset/3334424/

Source: security@wordfence.com

Product

https://wordpress.org/plugins/idonate/#developers

Source: security@wordfence.com

Release Notes

https://www.wordfence.com/threat-intel/vulnerabilities/id/5fe7668b-9d70-44b7-a347-3922c0b8684c?source=cve

Source: security@wordfence.com

PatchThird Party Advisory

Timeline

No history available yet.