What the vulnerability does
01Description
The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_profile() function in versions 2.1.5 to 2.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to hijack any account by reassigning its email address (via the donor_id they supply) and then triggering a password reset, ultimately granting themselves full administrator privileges.
Explanation of Vulnerability in Simple Terms
02Summary
IDonate versions 2.1.5 through 2.1.9 contain an improper access control vulnerability that allows authenticated users to read, modify, or delete sensitive data and disrupt the application. An attacker with a low-privilege account can exploit this flaw without user interaction to gain unauthorized access to blood donation records, donor information, and system functionality. Update to a version newer than 2.1.9.
What an attacker can do
03Attacker Capabilities
Read, modify, or delete sensitive blood donation and donor data; disrupt the application's availability.
Potential impact on your site
04Site Impact
Unauthorized access to donor records, blood donation requests, and system data; potential data loss or corruption.
Conditions required to exploit
05Prerequisites
Attacker must have a valid low-privilege user account; no user interaction required.
Key dates
06Disclosure timeline
February 19, 2026
CVE published
February 19, 2026
Record updated