CVE-2025-12877 is a vulnerability classified under CWE-862 (Missing Authorization) found in the IDonate – Blood Donation, Request And Donor Management System WordPress plugin developed by themeatelier. The vulnerability exists because the panding_blood_request_action() function lacks a proper capability check, which means it does not verify whether the user has the necessary permissions before allowing the deletion of posts. This flaw affects all versions up to and including 2.1.15. An unauthenticated attacker can exploit this vulnerability remotely over the network without any user interaction or privileges, enabling them to delete arbitrary posts managed by the plugin. The impact is primarily on data integrity, as unauthorized deletion can disrupt the management of blood donation requests and donor information. The CVSS v3.1 base score is 5.3, reflecting medium severity with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), limited integrity impact (I:L), and no availability impact (A:N). No patches or known exploits are currently reported, but the vulnerability requires prompt attention due to the critical nature of the data managed by the plugin. The plugin is used in WordPress environments, which are widely deployed globally, including in healthcare sectors managing blood donation systems.

For European organizations, particularly those in the healthcare sector relying on the IDonate plugin for managing blood donation requests and donor data, this vulnerability poses a significant risk to data integrity. Unauthorized deletion of posts could lead to loss of critical donation requests or donor records, potentially disrupting blood supply chain management and emergency response capabilities. This could result in operational downtime, reputational damage, and regulatory compliance issues under GDPR due to improper data handling. Although the vulnerability does not affect confidentiality or availability directly, the integrity compromise could indirectly impact service reliability and trust. Organizations using this plugin without proper access controls or monitoring are especially vulnerable. The lack of authentication requirement increases the attack surface, allowing remote attackers to exploit the vulnerability without credentials. Given the sensitive nature of healthcare data and the importance of blood donation systems, the impact on European healthcare providers and associated NGOs could be material if exploited.

1. Immediately audit WordPress installations to identify the presence of the IDonate – Blood Donation, Request And Donor Management System plugin and its version. 2. Apply vendor patches or updates as soon as they become available to address the missing authorization check. 3. If patches are not yet available, consider disabling or uninstalling the plugin temporarily to prevent exploitation. 4. Implement web application firewall (WAF) rules to detect and block suspicious requests targeting the panding_blood_request_action() function or related endpoints. 5. Restrict access to the WordPress admin and plugin endpoints using IP whitelisting or VPN access to reduce exposure. 6. Conduct regular backups of WordPress content and database to enable recovery from unauthorized deletions. 7. Monitor logs for unusual deletion activities or unauthorized access attempts related to the plugin. 8. Consider custom development to add capability checks or authorization validation in the plugin code if immediate patching is not feasible. 9. Educate administrators on the risks of installing plugins without proper security reviews, especially in critical healthcare environments. 10. Coordinate with healthcare IT security teams to integrate plugin vulnerability management into broader risk assessment and incident response plans.