{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12877", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-07T15:39:01.133Z", "datePublished": "2025-11-22T07:29:20.354Z", "dateUpdated": "2026-04-08T17:10:17.376Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:17.376Z"}, "affected": [{"vendor": "faysal61", "product": "IDonate \u2013 Blood Donation, Request And Donor Management System", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.14", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The IDonate \u2013 Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to unauthorized modification od data due to a missing capability check on the panding_blood_request_action() function in all versions up to, and including, 2.1.15. This makes it possible for unauthenticated attackers to delete arbitrary posts. CVE-2025-67583 is likely a duplicate of this."}], "title": "IDonate \u2013 Blood Donation, Request And Donor Management System <= 2.1.15 - Missing Authorization to Unauthenticated Arbitrary Post Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/96bd997f-63d5-47a7-b433-486c1113b44b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3398056/idonate/trunk/src/Helpers/IDonateAjaxHandler.php?old=3372718&old_path=idonate%2Ftags%2F2.1.13%2Fsrc%2FHelpers%2FIDonateAjaxHandler.php"}, {"url": "https://plugins.trac.wordpress.org/changeset/3400306/idonate/trunk/src/Helpers/IDonateAjaxHandler.php?old=3372718&old_path=idonate%2Ftags%2F2.1.13%2Fsrc%2FHelpers%2FIDonateAjaxHandler.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Varakorn Chanthasri"}], "timeline": [{"time": "2025-11-07T15:54:09.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-21T19:24:57.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-24T19:33:29.988141Z", "id": "CVE-2025-12877", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-24T19:33:38.865Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12877", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-24T19:33:29.988141Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-24T19:33:35.275Z"}}], "cna": {"title": "IDonate \u2013 Blood Donation, Request And Donor Management System <= 2.1.15 - Missing Authorization to Unauthenticated Arbitrary Post Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Varakorn Chanthasri"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "faysal61", "product": "IDonate \u2013 Blood Donation, Request And Donor Management System", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.14"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-07T15:54:09.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-21T19:24:57.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/96bd997f-63d5-47a7-b433-486c1113b44b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3398056/idonate/trunk/src/Helpers/IDonateAjaxHandler.php?old=3372718&old_path=idonate%2Ftags%2F2.1.13%2Fsrc%2FHelpers%2FIDonateAjaxHandler.php"}, {"url": "https://plugins.trac.wordpress.org/changeset/3400306/idonate/trunk/src/Helpers/IDonateAjaxHandler.php?old=3372718&old_path=idonate%2Ftags%2F2.1.13%2Fsrc%2FHelpers%2FIDonateAjaxHandler.php"}], "descriptions": [{"lang": "en", "value": "The IDonate \u2013 Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to unauthorized modification od data due to a missing capability check on the panding_blood_request_action() function in all versions up to, and including, 2.1.15. This makes it possible for unauthenticated attackers to delete arbitrary posts. CVE-2025-67583 is likely a duplicate of this."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:17.376Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12877", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:10:17.376Z", "dateReserved": "2025-11-07T15:39:01.133Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-22T07:29:20.354Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themeatelier:idonate:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "150FECCD-3B2E-4331-A600-6F5781FA8467", "versionEndExcluding": "2.1.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The IDonate \u2013 Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to unauthorized modification od data due to a missing capability check on the panding_blood_request_action() function in all versions up to, and including, 2.1.15. This makes it possible for unauthenticated attackers to delete arbitrary posts. CVE-2025-67583 is likely a duplicate of this."}], "id": "CVE-2025-12877", "lastModified": "2026-04-08T18:23:42.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-22T08:15:44.207", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3398056/idonate/trunk/src/Helpers/IDonateAjaxHandler.php?old=3372718&old_path=idonate%2Ftags%2F2.1.13%2Fsrc%2FHelpers%2FIDonateAjaxHandler.php"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3400306/idonate/trunk/src/Helpers/IDonateAjaxHandler.php?old=3372718&old_path=idonate%2Ftags%2F2.1.13%2Fsrc%2FHelpers%2FIDonateAjaxHandler.php"}, {"source": "security@wordfence.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/96bd997f-63d5-47a7-b433-486c1113b44b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:02:20.170759+00:00", "value": {"mitigation_remediation": ["Upgrade the IDonate plugin to a version newer than 2.1.15, which includes the missing authorization check.", "If an immediate upgrade is not feasible, disable or remove the panding_blood_request_action endpoint or the entire plugin until a patched version is available.", "Apply proper role\u2011based access controls in the site \u2013 ensure that only users with the necessary capabilities can perform post deletion operations, consistent with CWE\u2011862 remediation guidance."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Data Deletion"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the IDonate plugin version 2.1.15 or earlier, including all releases up to 2.1.15, run the risk. The affected product is identified by the vendor faysal61\u2019s IDonate plugin. Any WordPress installation that has not applied a version update beyond 2.1.15 is vulnerable.", "description_and_impact": "The IDonate Blood Donation, Request And Donor Management System plugin for WordPress contains a missing capability check in the panding_blood_request_action() function. Because the plugin does not verify the caller\u2019s privileges, an unauthenticated user can invoke the AJAX endpoint and delete arbitrary posts from the site. The vulnerability allows complete loss of content without any authentication or authorization controls, directly compromising data integrity for any site that relies on the plugin to store donation requests or donor records.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of current exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers can exploit it by sending an unauthenticated AJAX request to the plugin's endpoint; no special privileges or prior compromise are required, making the attack path straightforward for an external attacker with network visibility to the site."}}}}, "created": "2025-11-24T09:08:18.706653+00:00", "updated": "2026-04-21T18:15:36.364092+00:00", "vendors": ["themeatelier", "themeatelier$PRODUCT$idonate", "wordpress", "wordpress$PRODUCT$wordpress"]}