CVE-2025-60045 identifies a missing authorization vulnerability in the ThemeAtelier IDonatePro plugin, affecting versions up to 2.1.11. The flaw arises from inadequate enforcement of Access Control Lists (ACLs), allowing unauthenticated remote attackers to invoke sensitive functionality that should be restricted. The vulnerability is exploitable over the network without requiring authentication or user interaction, increasing its risk profile. The CVSS 3.1 base score of 7.5 reflects a high-severity issue primarily impacting confidentiality, as attackers can access protected data or functions without permission. While no public exploits are currently known, the nature of the vulnerability suggests that exploitation could lead to unauthorized data disclosure or manipulation of donation-related processes. IDonatePro is commonly used in WordPress environments to manage donation campaigns, making it a target for attackers seeking to disrupt nonprofit operations or steal sensitive donor information. The lack of vendor patches at the time of disclosure necessitates immediate mitigation efforts by administrators. The vulnerability's network accessibility and lack of required privileges make it a critical concern for organizations relying on this plugin for fundraising activities.

For European organizations, especially nonprofits and charities using IDonatePro, this vulnerability poses a significant risk to donor data confidentiality and the integrity of donation processes. Unauthorized access could lead to exposure of sensitive donor information, manipulation of donation records, or disruption of fundraising campaigns. This could damage organizational reputation, lead to regulatory non-compliance under GDPR, and result in financial losses. Given the plugin's role in managing donations, exploitation could also undermine trust in digital fundraising platforms. The impact is heightened in countries with large nonprofit sectors and widespread WordPress adoption, where IDonatePro usage is more prevalent. Additionally, organizations that do not promptly apply mitigations or lack robust network defenses are at increased risk of compromise.

1. Monitor ThemeAtelier communications and apply official patches immediately upon release to remediate the missing authorization flaw. 2. In the absence of patches, implement Web Application Firewall (WAF) rules to restrict access to IDonatePro endpoints, blocking unauthenticated requests to sensitive functions. 3. Restrict network access to the plugin’s administrative and API endpoints using IP whitelisting or VPNs where feasible. 4. Conduct thorough access control audits on the plugin’s configuration to ensure no unintended exposure of functionality. 5. Employ intrusion detection systems to monitor for anomalous access patterns targeting donation management features. 6. Educate IT and security teams about the vulnerability to ensure rapid response and incident handling. 7. Consider temporary disabling of the plugin if critical until a patch is available and tested. 8. Review and enhance logging to capture detailed activity related to donation processing for forensic readiness.