IDonate WordPress Plugin Missing Authorization Vulnerability Allows Unauthenticated Post Deletion

A vulnerability exists in the IDonate Word Donation, Request And Donor Management System plugin for WordPress, in versions through 2.1.15. The issue arises from a missing capability check in the panding_blood_request_action() function, allowing unauthenticated users to delete arbitrary posts. This unauthorized data modification could be exploited by attackers to manipulate content on the site.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of posts, which could disrupt content management and lead to loss of important data.

Reproduction

To reproduce this vulnerability, send a request to the WordPress site with the 'wp_ajax_panding_blood_request_action' action. Include a 'target' parameter set to 'delete' and a 'userid' parameter containing the ID of the post to be deleted. The absence of a proper capability check allows the deletion to occur without authentication.

Remediation

Users are advised to update the IDonate WordPress plugin to version 2.1.16 or later, where this vulnerability has been patched.