The IDonate plugin for WordPress suffers from a privilege escalation flaw that allows authenticated attackers, with Subscriber-level access or higher, to bypass crucial capability checks in the idonate_donor_password() function. This oversight can lead to unauthorized password reset requests for any user, including administrators, enabling attackers to manipulate user accounts and potentially gain full administrative control over the site. It's essential for users of affected versions to update promptly to secure their installations.
https://securityvulnerability.io/vulner ... -2025-4519