CVE-2025-11154

MEDIUM

IDonate <2.1.13 - CSRF

Title source: llm

Description

The IDonate WordPress plugin before 2.1.13 does not have authorisation and CSRF when deleting users via an action handler, allowing unauthenticated attackers to delete arbitrary users.

References (1)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/fdb9e076-4c65-4fd1-b1f6-23c23a11bdb7/

Scores

CVSS v3 5.4

EPSS 0.0003

EPSS Percentile 10.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Classification

CWE

CWE-352

Status published

Affected Products (1)

themeatelier/idonate < 2.1.13

Timeline

Published Oct 27, 2025

Tracked Since Feb 18, 2026