CVE-2025-11154

Summary

The IDonate WordPress plugin before 2.1.13 does not have authorisation and CSRF when deleting users via an action handler, allowing unauthenticated attackers to delete arbitrary users.

Affected Software

VendorProductVersion RangeStatus
UnknownIDonate0 < 2.1.13affected

Weaknesses

  • CWE-862 Missing Authorization
  • CWE-352 Cross-Site Request Forgery (CSRF)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References