Description
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThemeAtelier IDonatePro idonate-pro allows Retrieve Embedded Sensitive Data.This issue affects IDonatePro: from n/a through <= 2.1.9.
Published: 2025-10-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the IDonatePro plugin allows an attacker to retrieve embedded sensitive system information. The vulnerability is a classic information disclosure that can expose data the plugin has stored or generated while operating under WordPress, potentially giving an unauthorized user insight into the site’s internal configuration or user data. This type of weakness is identified as a CWE-497 attack, reflecting the exposure of data that should remain confidential.

Affected Systems

The vulnerability affects the ThemeAtelier IDonatePro WordPress plugin on all installations running version 2.1.9 or earlier. The issue spans the open-source product bundle and is present across the WordPress ecosystem where the plugin is deployed.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog, further indicating a relatively low threat terrain. The likely attack vector is inferred to be a remote request to the plugin’s front‑end or internal API, given its nature as a WordPress plugin. No exploit code is publicly disclosed, but the impact could be significant if sensitive data were compromised.

Generated by OpenCVE AI on April 29, 2026 at 16:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the IDonatePro plugin to the latest version where the disclosure issue is fixed.
  • If upgrading is not immediately possible, limit external visibility of the plugin’s assets and data by configuring WordPress to block public access to the relevant endpoints or files.
  • Remove the IDonatePro plugin entirely if it is not required for the site’s functionality to eliminate the risk surface.

Generated by OpenCVE AI on April 29, 2026 at 16:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Themeatelier
Themeatelier idonate
Wordpress
Wordpress wordpress
Vendors & Products Themeatelier
Themeatelier idonate
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThemeAtelier IDonatePro idonate-pro allows Retrieve Embedded Sensitive Data.This issue affects IDonatePro: from n/a through <= 2.1.9.
Title WordPress IDonatePro plugin <= 2.1.9 - Sensitive Data Exposure vulnerability
Weaknesses CWE-497
References

Subscriptions

Themeatelier Idonate
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:04:38.622Z

Reserved: 2025-06-19T10:02:55.535Z

Link: CVE-2025-52752

cve-icon Vulnrichment

Updated: 2025-10-23T15:19:17.203Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:45.070

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-52752

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:45:15Z

Weaknesses