Cyber Resilience

CVE-2025-4521

High

Published: 19 February 2026

Published
19 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0028 19.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-4521 is a high-severity Improper Authorization (CWE-285) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 19.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-4521 is a privilege escalation vulnerability in the IDonate – Blood Donation, Request And Donor Management System plugin for WordPress, affecting versions 2.1.5 through 2.1.9. The issue arises from a missing capability check in the idonate_donor_profile() function, which fails to properly validate user permissions before allowing modifications.

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction required. By supplying a donor_id parameter, they can reassign the email address of any target account to one under their control, then trigger a password reset process to hijack the account and elevate to full administrator privileges. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-285 (Improper Authorization).

Advisories and patch details indicate mitigation through updating to version 2.1.10 or later, where the missing capability check was added, as evidenced by changeset 3334424 in the plugin's code repository. Further technical analysis is available in the source code diffs and Wordfence's threat intelligence report, with developer resources on the WordPress plugin page.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_profile() function in versions 2.1.5 to 2.1.9. This makes it possible for authenticated attackers,…

more

with Subscriber-level access and above, to hijack any account by reassigning its email address (via the donor_id they supply) and then triggering a password reset, ultimately granting themselves full administrator privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Missing authorization check directly enables authenticated privilege escalation from subscriber to administrator via account email reassignment and takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2017-20238Shared CWE-285
CVE-2026-39389Shared CWE-285
CVE-2025-29922Shared CWE-285
CVE-2025-21400Shared CWE-285
CVE-2025-24053Shared CWE-285
CVE-2025-24418Shared CWE-285
CVE-2024-56320Shared CWE-285
CVE-2025-21275Shared CWE-285
CVE-2026-35476Shared CWE-285
CVE-2025-53795Shared CWE-285

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly addressing the missing capability check in idonate_donor_profile() that allowed unauthorized email reassignments.

prevent

Employs least privilege to restrict Subscriber-level users from modifying higher-privilege donor profiles, preventing privilege escalation to administrator access.

prevent

Manages account attributes like email addresses with approval processes and monitoring, mitigating unauthorized reassignments that enable password reset hijacking.

References