IDonate WordPress Plugin Insecure Direct Object Reference Vulnerability Allowing Arbitrary User Deletion

A vulnerability exists in the IDonate Word Donation, Request And Donor Management System plugin for WordPress, specifically in versions 2.0.0 to 2.1.9. The issue is an Insecure Direct Object Reference (IDOR) that allows authenticated users with Subscriber-level access and above to delete any user account, including those of administrators. This is achieved by manipulating the user_id parameter in the admin_post_donor_delete function, which is then passed to the wp_delete_user function to perform the deletion.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of user accounts, including administrators, from the WordPress site.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the admin_post_donor_delete action. The request must include a user_id parameter value corresponding to the ID of the user account to be deleted. This can be done through a custom script or a plugin that facilitates the sending of such requests, taking advantage of the WordPress AJAX API or admin-post.php.

Remediation

Users are advised to update the IDonate WordPress plugin to version 2.1.10 or later, where this vulnerability has been patched.