CVE-2025-4523: 
WordPress vulnerability analysis and mitigation

The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress contains a missing capability check vulnerability in versions 2.0.0 to 2.1.9. The vulnerability exists in the admindonorprofile_view() function, which allows authenticated attackers with Subscriber-level access and above to expose sensitive administrator information including username, email address, and all donor fields (NVD).

The vulnerability stems from a missing capability check in the admindonorprofileview() function located in the IDonateAjaxHandler class. This function is hooked to the 'wpajaxadmindonorprofileview' action and is accessible to any authenticated user. The function retrieves and exposes sensitive user metadata without properly verifying the user's permissions (WordPress Plugin, Ajax Handler). The vulnerability has been assigned a CVSS v3.1 base score of 6.5 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) (NVD).

Successful exploitation of this vulnerability allows authenticated attackers with Subscriber-level access or higher to view sensitive administrator information, including usernames, email addresses, and all donor fields. This information disclosure could potentially be used for further attacks or social engineering attempts (NVD).

The vulnerability has been patched in version 2.1.10 of the IDonate plugin. Site administrators should update to this version immediately. The update includes fixes for privilege escalation via password reset, arbitrary user email change vulnerability, unauthorized user deletion vulnerability, and user data exposure via AJAX (WordPress Plugin).