CVE-2025-11154: 
WordPress vulnerability analysis and mitigation

The IDonate WordPress plugin before version 2.1.13 contains a critical security vulnerability identified as CVE-2025-11154. The vulnerability was discovered by Khaled Alenazi (Nxploited) and publicly disclosed on October 6, 2025. This security flaw affects the user management functionality of the IDonate plugin, which is used for blood donation and donor management systems (WPScan).

The vulnerability stems from missing authorization checks and CSRF protections in the user deletion action handler. The issue has been assigned a CVSS base score of 8.2 (high severity) and is classified under CWE-862 (Missing Authorization). The vulnerability can be exploited through the WordPress admin-ajax.php endpoint by sending a specially crafted POST request with specific parameters targeting the user deletion functionality (WPScan).

When successfully exploited, this vulnerability allows unauthenticated attackers to delete arbitrary users from the WordPress installation. This can lead to denial of service for affected users and potential disruption of website operations (WPScan, Rapid7).

The vulnerability has been patched in IDonate version 2.1.13. Website administrators running affected versions should immediately upgrade to the latest version to protect against potential attacks (WPScan).