A high-severity vulnerability exists within the "IDonate – Blood Donation, Request And Donor Management System" WordPress plugin. This flaw allows any authenticated user, regardless of their permission level, to change the password of any other user, including administrators. Successful exploitation could result in a complete takeover of the affected website, leading to data theft, defacement, or further malicious activity.

The vulnerability is a privilege escalation due to a missing capability check in the idonate_donor_password() function. This function is responsible for handling password changes but fails to verify if the user initiating the request has the necessary permissions to do so. An attacker with a low-privileged account, such as a subscriber, can craft a request to this function to reset the password of any user on the site, granting them unauthorized access to that account. To exploit this, an attacker only needs to be authenticated and know the username or ID of the target account (e.g., an administrator).

This vulnerability is rated as High severity with a CVSS score of 8.8. A successful exploit leads to a full compromise of the WordPress application. The business impact includes the potential for sensitive data exfiltration (customer PII, donor information), reputational damage from website defacement, distribution of malware to site visitors, and loss of control over the web asset. The complete administrative access gained by an attacker could also be used to pivot to other systems within the network, escalating the overall security risk to the organization.

Immediate Action: Immediately update the "IDonate – Blood Donation, Request And Donor Management System" plugin to the latest patched version provided by the vendor. If an update is not available or the plugin is not critical to business operations, disable and uninstall it to remove the attack vector. After patching, review all user accounts, particularly those with administrative privileges, for any unauthorized password changes or suspicious activity.

Proactive Monitoring: Monitor WordPress audit logs for an unusual volume of password reset events or password changes initiated by low-privileged users. Review web server access logs for direct calls to the vulnerable function or suspicious POST requests. Monitor for the creation of new, unauthorized administrative accounts or unexpected modifications to website content and plugins.

Compensating Controls: If patching cannot be performed immediately, implement a Web Application Firewall (WAF) rule to block requests attempting to access the vulnerable idonate_donor_password() function. Restricting access to the WordPress login and administration pages (/wp-login.php and /wp-admin/) to trusted IP addresses can also help mitigate risk from external attackers.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the risk of a complete website compromise, it is strongly recommended that organizations treat this vulnerability as a critical priority. The "IDonate" plugin should be patched or removed immediately. Although this CVE is not currently listed on the CISA KEV catalog, its severity warrants urgent attention to prevent potential exploitation and protect sensitive organizational and user data.