VYPR
Unrated severityNVD Advisory· Published Nov 7, 2025· Updated Nov 7, 2025

IDonate 2.0.0 - 2.1.9 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion via admin_post_donor_delete Function

CVE-2025-4522

Description

The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Insecure Direct Object Reference via the admin_post_donor_delete() function in versions 2.0.0 to 2.1.9. By supplying an arbitrary user_id parameter value to the wp_delete_user() function, authenticated attackers, with Subscriber-level access and above could delete arbitrary user accounts, including those of administrators.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.