CVE-2025-60045 identifies a missing authorization vulnerability in the ThemeAtelier IDonatePro plugin, specifically in versions up to and including 2.1.11. The vulnerability arises because certain functionality within the plugin is not properly constrained by Access Control Lists (ACLs), allowing unauthorized users to invoke functions that should require elevated privileges. This can lead to unauthorized access to administrative or sensitive donation management features, potentially enabling attackers to manipulate donation data, alter configurations, or perform actions reserved for authenticated administrators. The vulnerability does not require prior authentication, increasing its risk profile. Although no known exploits have been reported in the wild, the lack of proper authorization checks presents a significant security gap. The plugin is typically deployed in WordPress environments to facilitate donation processing and management, making it a target for attackers seeking to disrupt nonprofit operations or steal sensitive information. No CVSS score has been assigned yet, and no official patches have been linked, indicating that organizations should be vigilant and prepare to apply updates once available. The vulnerability was reserved in late September 2025 and published in December 2025, suggesting recent discovery and disclosure.

For European organizations, especially nonprofits and charities relying on IDonatePro for donation management, this vulnerability could lead to unauthorized manipulation of donation records, financial fraud, or disruption of fundraising activities. Unauthorized access might allow attackers to alter donation amounts, redirect funds, or access donor information, impacting confidentiality and integrity. The availability of donation services could also be affected if attackers exploit the flaw to disrupt plugin functionality. Given the widespread use of WordPress in Europe and the importance of nonprofit sectors in countries like the UK, Germany, France, and the Netherlands, the impact could be significant. Additionally, unauthorized access could damage organizational reputation and trust among donors. The lack of authentication requirement increases the ease of exploitation, potentially allowing remote attackers to leverage this vulnerability without user interaction.

Organizations should immediately inventory their WordPress environments to identify installations of the IDonatePro plugin and determine the version in use. Until an official patch is released by ThemeAtelier, restrict access to the plugin’s administrative interfaces using web application firewalls (WAFs), IP whitelisting, or network segmentation to limit exposure. Implement strict role-based access controls within WordPress to minimize privileges granted to users. Monitor logs for unusual access patterns or unauthorized function calls related to the plugin. Consider temporarily disabling the plugin if it is not critical to operations. Stay informed through vendor channels and security advisories to apply patches promptly once available. Additionally, conduct security awareness training for administrators to recognize potential exploitation attempts. Employ intrusion detection systems (IDS) to detect anomalous activities targeting the plugin’s endpoints.