Vulnerability Details CVE-2025-11154
The IDonate WordPress plugin before 2.1.13 does not have authorisation and CSRF when deleting users via an action handler, allowing unauthenticated attackers to delete arbitrary users.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 4.6%
CVSS Severity
CVSS v3 Score 5.4
Products affected by CVE-2025-11154
-
cpe:2.3:a:themeatelier:idonate:1.1
-
cpe:2.3:a:themeatelier:idonate:1.2
-
cpe:2.3:a:themeatelier:idonate:1.3
-
cpe:2.3:a:themeatelier:idonate:1.4
-
cpe:2.3:a:themeatelier:idonate:1.5
-
cpe:2.3:a:themeatelier:idonate:1.6
-
cpe:2.3:a:themeatelier:idonate:1.7.0
-
cpe:2.3:a:themeatelier:idonate:1.8.1
-
cpe:2.3:a:themeatelier:idonate:1.9.1
-
cpe:2.3:a:themeatelier:idonate:2.0.0
-
cpe:2.3:a:themeatelier:idonate:2.0.1
-
cpe:2.3:a:themeatelier:idonate:2.0.2
-
cpe:2.3:a:themeatelier:idonate:2.0.3
-
cpe:2.3:a:themeatelier:idonate:2.1.0
-
cpe:2.3:a:themeatelier:idonate:2.1.1
-
cpe:2.3:a:themeatelier:idonate:2.1.2
-
cpe:2.3:a:themeatelier:idonate:2.1.3
-
cpe:2.3:a:themeatelier:idonate:2.1.4
-
cpe:2.3:a:themeatelier:idonate:2.1.5
-
cpe:2.3:a:themeatelier:idonate:2.1.6
-
cpe:2.3:a:themeatelier:idonate:2.1.7
-
cpe:2.3:a:themeatelier:idonate:2.1.8
-
cpe:2.3:a:themeatelier:idonate:2.1.9