The IDonatePro plugin for WordPress contains a missing authorization flaw that permits attackers to bypass configured access controls. This vulnerability can be used to gain privileges that should be limited to administrators, allowing the attacker to modify plugin settings, upload and execute files, or potentially alter website content. The weakness is identified as CWE‑862, a breach of proper authorization checks, and could lead to a compromise of confidentiality, integrity, or availability of the website.

The flaw affects ThemeAtelier IDonatePro releases up through version 2.1.9. Users running any version of the plugin from the initial release to 2.1.9 are impacted. No specific environment or operating system is required beyond a standard WordPress installation that has this plugin installed and active.

The vulnerability carries a CVSS score of 7.5, indicating a high risk level when exploited. The EPSS score is reported as less than 1%, suggesting exploitation is currently unlikely or only a small fraction of the landscape attempts to exploit it. It is not listed in the CISA KEV catalog. That said, the attack vector is inferred to be via the web interface, where an attacker can send crafted requests to the plugin’s administrative endpoints without proper role verification. If successfully exploited, the attacker could assume administrative permissions, which could be leveraged for further site compromise or data exfiltration.