Unrated severityNVD Advisory· Published Aug 1, 2025· Updated Aug 1, 2025

IDonate 2.0.0 - 2.1.9 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via admin_donor_profile_view Function

CVE-2025-4523

Description

The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the admin_donor_profile_view() function in versions 2.0.0 to 2.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to expose an administrator’s username, email address, and all donor fields.

Affected products

themeatelier/IDonate – Blood Donation, Request And Donor Management Systemv5
Range: 2.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/idonate/tags/2.1.9/src/Admin/Admin.phpmitre
plugins.trac.wordpress.org/browser/idonate/tags/2.1.9/src/Helpers/IDonateAjaxHandler.phpmitre
plugins.trac.wordpress.org/changeset/3334424/mitre
wordpress.org/plugins/idonate/mitre
www.wordfence.com/threat-intel/vulnerabilities/id/5fe7668b-9d70-44b7-a347-3922c0b8684cmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000