CVE-2025-4523 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the IDonate – Blood Donation, Request And Donor Management System plugin for WordPress, specifically versions 2.0.0 through 2.1.9. The root cause is a missing capability check in the admin_donor_profile_view() function, which is responsible for displaying donor profiles to administrators. Due to this missing authorization control, any authenticated user with at least Subscriber-level privileges can invoke this function and retrieve sensitive data, including administrator usernames, email addresses, and all donor-related fields. The vulnerability is remotely exploitable without user interaction and requires only low privileges, making it relatively easy to exploit in environments where the plugin is installed. The CVSS v3.1 base score is 6.5, reflecting a medium severity level, with a vector indicating network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, and high confidentiality impact but no impact on integrity or availability. Although no public exploits have been reported yet, the exposure of personally identifiable information (PII) and sensitive donor data poses significant privacy risks, especially in healthcare contexts. The vulnerability highlights the importance of proper capability checks in WordPress plugins that handle sensitive data.

The primary impact of CVE-2025-4523 is the unauthorized disclosure of sensitive information, including administrator credentials (usernames and emails) and donor personal data. This exposure can lead to privacy violations, regulatory non-compliance (such as GDPR or HIPAA), and potential targeted phishing or social engineering attacks against administrators or donors. While the vulnerability does not allow modification or deletion of data, the confidentiality breach alone can damage organizational reputation and trust. Healthcare organizations using the IDonate plugin are particularly vulnerable due to the sensitivity of donor information. Attackers with low-level access can escalate their knowledge of the system and potentially leverage exposed information for further attacks. The medium severity rating reflects the balance between the ease of exploitation and the impact limited to information disclosure without integrity or availability compromise.

To mitigate CVE-2025-4523, organizations should immediately update the IDonate plugin to a patched version once available from the vendor. In the absence of an official patch, administrators should implement strict access controls to limit Subscriber-level and higher privileges to trusted users only. Reviewing and hardening WordPress user roles and capabilities can reduce the attack surface. Additionally, monitoring access logs for unusual activity related to donor profile views can help detect exploitation attempts. Employing Web Application Firewalls (WAFs) with custom rules to block unauthorized access to the vulnerable function endpoints may provide temporary protection. Regular security audits of plugins handling sensitive data are recommended to identify missing authorization checks. Finally, organizations should ensure data encryption at rest and in transit to mitigate risks from data exposure.