CVE-2025-4522
- Source
- https://cve.org/CVERecord?id=CVE-2025-4522
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-4522.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-4522
- Published
- 2025-11-07T05:16:04.443Z
- Modified
- 2026-03-15T14:13:41.329270Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Insecure Direct Object Reference via the adminpostdonordelete() function in versions 2.0.0 to 2.1.9. By supplying an arbitrary userid parameter value to the wpdeleteuser() function, authenticated attackers, with Subscriber-level access and above could delete arbitrary user accounts, including those of administrators.
- References
-
- https://plugins.trac.wordpress.org/browser/idonate/tags/2.1.9/src/Admin/Admin.php#L75
- https://plugins.trac.wordpress.org/browser/idonate/tags/2.1.9/src/Helpers/DonorFunctions.php#L658
- https://wordpress.org/plugins/idonate/#developers
- https://plugins.trac.wordpress.org/changeset/3334424/idonate/tags/2.1.10/src/Helpers/DonorFunctions.php?old=3279142&old_path=idonate%2Ftags%2F2.1.9%2Fsrc%2FHelpers%2FDonorFunctions.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/bb0625ec-5ac9-4896-ac11-87fc9287f68a?source=cve