CVE-2025-4522: 
WordPress vulnerability analysis and mitigation

The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress (versions 2.0.0 to 2.1.9) contains a vulnerability identified as CVE-2025-4522. This security flaw is characterized as an Insecure Direct Object Reference vulnerability in the adminpostdonor_delete() function. The vulnerability was discovered and disclosed on November 6, 2025, and was assigned a CVSS v3.1 base score of 6.5 (Medium) (NVD, Rapid7).

The vulnerability exists in the adminpostdonordelete() function where authenticated attackers with Subscriber-level access or higher can exploit an Insecure Direct Object Reference (IDOR) vulnerability. The issue stems from insufficient authorization checks when processing the userid parameter passed to the wpdeleteuser() function. The vulnerability has been classified as CWE-862 (Missing Authorization) (NVD).

When exploited, this vulnerability allows authenticated attackers with Subscriber-level privileges to delete arbitrary user accounts from the WordPress installation, including administrator accounts. This represents a significant security risk as it could lead to the unauthorized removal of critical administrative users from the system (Rapid7).

The vulnerability has been patched in version 2.1.10 of the IDonate plugin. Users are strongly advised to update to this version or later to protect against this security issue. The fix includes implementation of proper authorization checks before allowing user deletion operations (WordPress Plugin).