CVE-2025-4521
Published: 19 February 2026
Summary
CVE-2025-4521 is a high-severity Improper Authorization (CWE-285) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 18.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly addressing the missing capability check in idonate_donor_profile() that allowed unauthorized email reassignments.
Employs least privilege to restrict Subscriber-level users from modifying higher-privilege donor profiles, preventing privilege escalation to administrator access.
Manages account attributes like email addresses with approval processes and monitoring, mitigating unauthorized reassignments that enable password reset hijacking.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization check directly enables authenticated privilege escalation from subscriber to administrator via account email reassignment and takeover.
NVD Description
The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_profile() function in versions 2.1.5 to 2.1.9. This makes it possible for authenticated attackers,…
more
with Subscriber-level access and above, to hijack any account by reassigning its email address (via the donor_id they supply) and then triggering a password reset, ultimately granting themselves full administrator privileges.
Deeper analysisAI
CVE-2025-4521 is a privilege escalation vulnerability in the IDonate – Blood Donation, Request And Donor Management System plugin for WordPress, affecting versions 2.1.5 through 2.1.9. The issue arises from a missing capability check in the idonate_donor_profile() function, which fails to properly validate user permissions before allowing modifications.
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction required. By supplying a donor_id parameter, they can reassign the email address of any target account to one under their control, then trigger a password reset process to hijack the account and elevate to full administrator privileges. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-285 (Improper Authorization).
Advisories and patch details indicate mitigation through updating to version 2.1.10 or later, where the missing capability check was added, as evidenced by changeset 3334424 in the plugin's code repository. Further technical analysis is available in the source code diffs and Wordfence's threat intelligence report, with developer resources on the WordPress plugin page.
Details
- CWE(s)