CVE-2025-11154 is a vulnerability identified in the IDonate WordPress plugin, affecting all versions prior to 2.1.13. The core issue is the absence of proper authorization checks and Cross-Site Request Forgery (CSRF) protections on the action handler responsible for deleting users. This flaw allows unauthenticated attackers to remotely invoke the user deletion functionality, effectively removing arbitrary users from the system without any legitimate permissions or user interaction. The vulnerability is classified under CWE-862 (Missing Authorization) and CWE-352 (Cross-Site Request Forgery), indicating that the plugin fails to verify whether the requester has the rights to perform user deletions and lacks anti-CSRF tokens to prevent forged requests. The CVSS 3.1 base score is 5.4 (medium), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and limited confidentiality and integrity impacts (C:L/I:L) with no availability impact (A:N). Although no public exploits are currently known, the vulnerability poses a significant risk because it can be exploited remotely and silently, potentially leading to unauthorized removal of users, which can disrupt operations and compromise system integrity. The vulnerability was reserved on 2025-09-29 and published on 2025-10-27 by WPScan, a reputable WordPress vulnerability database.

For European organizations, especially those operating WordPress sites with the IDonate plugin, this vulnerability can lead to unauthorized deletion of user accounts, which may include administrators or privileged users. This compromises the integrity of user data and can disrupt normal operations, including donation processing and user management. The loss of user accounts could lead to denial of service for legitimate users and potential escalation paths if administrative users are removed or replaced. Confidentiality is also impacted as unauthorized actors gain the ability to manipulate user records. Organizations in sectors relying heavily on donation platforms, such as non-profits, charities, and NGOs, may face operational and reputational damage. The ease of exploitation without authentication and user interaction increases the risk of automated attacks or mass exploitation campaigns. Additionally, the lack of known exploits currently provides a window for proactive mitigation before widespread abuse occurs.

1. Immediately update the IDonate plugin to version 2.1.13 or later once the patch is released to ensure authorization and CSRF protections are implemented. 2. Until an official patch is available, implement web application firewall (WAF) rules to detect and block suspicious requests targeting the user deletion endpoint. 3. Restrict access to the WordPress admin and plugin action handlers by IP whitelisting or VPN access where feasible. 4. Conduct regular audits of user accounts to detect unauthorized deletions and maintain backups for quick restoration. 5. Harden WordPress installations by enforcing strong authentication mechanisms, including multi-factor authentication for administrative users. 6. Monitor logs for unusual activity related to user management functions, especially deletion events. 7. Educate site administrators about the risks of unauthorized plugin actions and encourage timely updates of all plugins. 8. Consider disabling or limiting the use of the IDonate plugin if it is not critical to operations until patched.