Listen to this Post
The CVE-2025-11154 vulnerability exists in the IDonate WordPress plugin versions before 2.1.13. The plugin includes an action handler for deleting users, but it lacks proper authorization checks and CSRF protection. This means the code does not verify if the requesting user has administrative privileges or permissions to delete users. Additionally, it does not implement CSRF tokens to ensure requests are intentional and from legitimate users. An unauthenticated attacker can send a crafted HTTP POST request to the vulnerable endpoint, such as the admin-ajax.php file, with parameters specifying the user ID to delete. Since no authentication or CSRF validation is performed, the plugin executes the deletion arbitrarily. This allows remote attackers to delete any user, including administrators, without any interaction. The vulnerability stems from insecure coding practices where access control and request validation are omitted in the user deletion functionality.
Platform: WordPress IDonate Plugin
Version: before 2.1.13
Vulnerability: Unauth User Deletion
Severity: Critical
Date: 10/27/2025
Prediction: Patch in 2.1.13
What Undercode Say:
Analytics:
curl -X POST http://
wget –post-data “action=idonate_delete_user&user_id=1” http://
How Exploit:
Send POST request to vulnerable endpoint with user_id parameter.
Use tools like curl or browsers to trigger deletion.
Exploit requires no authentication or CSRF tokens.
Protection from this CVE
Update to version 2.1.13.
Implement authorization checks.
Add CSRF protection mechanisms.
Impact:
Arbitrary user deletion.
Site administration compromise.
Service disruption and data loss.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
