CVE-2025-11154: 
WordPress vulnerability analysis and mitigation

A vulnerability in the IDonate WordPress plugin versions below 2.1.13 allows unauthenticated attackers to delete arbitrary users from WordPress installations. The vulnerability was assigned CVE-2025-11154 and was publicly disclosed on October 6, 2025. The issue stems from missing authorization and CSRF protections in the user deletion functionality (WPScan).

The vulnerability exists in the plugin's action handler that processes user deletions. The affected endpoint is wp-admin/admin-ajax.php which accepts POST requests with the action parameter 'pandingdonoraction' and target parameter 'delete'. Due to missing access controls, any unauthenticated user can send requests to delete arbitrary users by specifying their User ID. The vulnerability has been assigned a CVSS score of 8.2 (High) and is classified as CWE-862 (Missing Authorization). The issue falls under the OWASP Top 10 category A5: Broken Access Control (WPScan).

A successful exploitation of this vulnerability allows unauthenticated attackers to delete any user account from the WordPress installation, including administrative users. This could lead to denial of service, loss of access for legitimate users, and potential disruption of website operations (WPScan).

The vulnerability has been fixed in IDonate version 2.1.13. Site administrators are strongly advised to update to this version or later to protect against unauthorized user deletion attacks (WPScan).