CVE-2025-11154 identifies a critical security vulnerability in the IDonate WordPress plugin prior to version 2.1.13. The flaw arises from missing authorization checks (CWE-862) combined with the absence of Cross-Site Request Forgery (CSRF) protections (CWE-352) on the plugin's user deletion action handler. This means that an unauthenticated attacker can craft a request that triggers the deletion of arbitrary user accounts without any authentication or user interaction. The vulnerability affects all versions before 2.1.13, with no patch links currently available, indicating that a fix is either pending or recently released but not linked. The plugin is commonly used for managing donations on WordPress sites, often by nonprofits and organizations relying on user accounts for managing donors or administrators. The lack of authorization and CSRF protections allows attackers to disrupt site operations by removing users, potentially including administrators, which can lead to denial of service or loss of control over the site. Although no known exploits have been reported in the wild, the vulnerability's nature makes it highly exploitable. The absence of a CVSS score necessitates a severity assessment based on impact and exploitability factors. The vulnerability impacts confidentiality minimally but severely affects integrity and availability by enabling unauthorized user deletions. Exploitation requires no authentication or user interaction, broadening the attack surface significantly. The scope includes all WordPress sites using the vulnerable IDonate plugin versions. This vulnerability underscores the importance of strict authorization and CSRF protections on sensitive actions within web applications.

For European organizations, especially those operating nonprofit, charity, or donation platforms on WordPress using the IDonate plugin, this vulnerability poses a significant threat. Attackers can delete arbitrary user accounts, including administrators, potentially causing operational disruptions, loss of administrative control, and denial of service. This could lead to downtime, loss of donor trust, and financial impact due to interrupted donation processing. The integrity of user data and site management is compromised, and recovery may require manual restoration of user accounts and investigation of unauthorized deletions. Given the plugin's role in donation management, the impact extends to reputational damage and potential regulatory scrutiny under data protection laws if user management is affected. The lack of authentication and CSRF protections increases the risk of automated or widespread exploitation attempts, especially targeting high-profile or high-traffic sites. Organizations with limited WordPress security expertise may be particularly vulnerable to exploitation and subsequent operational impact.

Immediate mitigation involves upgrading the IDonate plugin to version 2.1.13 or later once it becomes available, as this version is expected to include proper authorization and CSRF protections. Until an update is applied, organizations should implement web application firewall (WAF) rules to block unauthorized requests targeting the user deletion action handler. Restrict access to the WordPress admin and plugin endpoints via IP whitelisting or VPN access where feasible. Conduct a thorough audit of user accounts to detect any unauthorized deletions and maintain regular backups to enable rapid recovery. Implement monitoring and alerting for unusual user deletion activities or access patterns. Additionally, review and harden WordPress security configurations, including enforcing strong authentication for administrative users and enabling multi-factor authentication (MFA). Educate site administrators about the risks of CSRF and missing authorization vulnerabilities and the importance of timely plugin updates. Engage with the plugin vendor or community to track patch releases and security advisories.