CVE-2025-4521 HIGH

CVE-2025-4521: IDonate 2.1.5 - 2.1.9 - Missing Authorization to Authenticated (Subscriber+) Account Takeover/Privilege Escalation via idonate_donor_profile Function

Vendor Themeatelier
Product IDonate – Blood Donation, Request And Donor Management System
Weakness CWE-285
Published February 19, 2026
Last update February 19, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_profile() function in versions 2.1.5 to 2.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to hijack any account by reassigning its email address (via the donor_id they supply) and then triggering a password reset, ultimately granting themselves full administrator privileges.

Explanation of Vulnerability in Simple Terms

02Summary

IDonate versions 2.1.5 through 2.1.9 contain an improper access control vulnerability that allows authenticated users to read, modify, or delete sensitive data and disrupt the application. An attacker with a low-privilege account can exploit this flaw without user interaction to gain unauthorized access to blood donation records, donor information, and system functionality. Update to a version newer than 2.1.9.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete sensitive blood donation and donor data; disrupt the application's availability.

Potential impact on your site

04Site Impact

Unauthorized access to donor records, blood donation requests, and system data; potential data loss or corruption.

Conditions required to exploit

05Prerequisites

Attacker must have a valid low-privilege user account; no user interaction required.

Key dates

06Disclosure timeline

February 19, 2026 CVE published
February 19, 2026 Record updated