WP-Safety

IDonate – Blood Donation, Request And Donor Management System Security & Risk Analysis

wordpress.org/plugins/idonate

A complete WordPress system to handle blood donations, donor records, and urgent requests—ideal for hospitals, NGOs, and clinics.

90 active installs v2.1.18 PHP 7.4+ WP 5.3+ Updated Mar 12, 2026
bloodblood-donationdonationhealthcaremedical
52
C · Use Caution
CVEs total8
Unpatched1
Last CVEFeb 18, 2026
Plugin page Download
Safety Verdict

Is IDonate – Blood Donation, Request And Donor Management System Safe to Use in 2026?

Use With Caution

Score 52/100

IDonate – Blood Donation, Request And Donor Management System has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

8 known CVEs 1 unpatched Last CVE: Feb 18, 2026Updated 22d ago
Risk Assessment

The "idonate" plugin v2.1.18 exhibits a concerning security posture, despite some positive indicators. While the plugin demonstrates good practices in SQL query sanitization (80% prepared statements) and output escaping (91% properly escaped), these strengths are overshadowed by significant weaknesses. The presence of 15 unprotected AJAX handlers represents a substantial attack surface, creating numerous potential entry points for unauthorized actions. Furthermore, the vulnerability history is alarming, with a total of 8 known CVEs, including one critical and two high-severity issues. The fact that one critical vulnerability remains unpatched is a severe immediate risk. The common vulnerability types found, such as Improper Authorization, Missing Authorization, and Cross-site Scripting, suggest a pattern of insecure handling of user input and access control. The plugin's last known vulnerability was as recent as February 2026, indicating ongoing security flaws or slow patching practices. While the absence of critical taint flows is a positive sign, the combination of a large unprotected attack surface and a history of critical and high-severity vulnerabilities, including an unpatched one, points to a high-risk plugin.

Key Concerns

  • Unpatched Critical CVE
  • 15 unprotected AJAX handlers
  • 1 Critical CVE (historical)
  • 2 High CVEs (historical)
  • Flows with unsanitized paths
  • Large attack surface without auth
Vulnerabilities
8

IDonate – Blood Donation, Request And Donor Management System Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
6 CVEs in 2025 · unpatched
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
1
High
2
Medium
5

8 total CVEs

CVE-2025-4521high · 8.8Improper Authorization

IDonate 2.1.5 - 2.1.9 - Missing Authorization to Authenticated (Subscriber+) Account Takeover/Privilege Escalation via idonate_donor_profile Function

Feb 18, 2026 Patched in 2.1.0 (1d)
CVE-2025-12877medium · 5.3Missing Authorization

IDonate – Blood Donation, Request And Donor Management System <= 2.1.15 - Missing Authorization to Unauthenticated Arbitrary Post Deletion

Nov 21, 2025 Patched in 2.1.16 (20d)
CVE-2025-4522medium · 6.5Missing Authorization

IDonate 2.0.0 - 2.1.9 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion via admin_post_donor_delete Function

Nov 6, 2025 Patched in 2.1.10 (1d)
CVE-2025-4519high · 8.8Improper Authorization

IDonate 2.1.5 - 2.1.9 - Missing Authorization to Authenticated (Subscriber+) Account Takeover/Privilege Escalation via idonate_donor_password Function

Nov 6, 2025 Patched in 2.1.10 (1d)
CVE-2025-11154medium · 5.3Missing Authorization

IDonate < 2.1.13 - Missing Authorization

Oct 28, 2025 Patched in 2.1.13 (2d)
CVE-2025-4523medium · 6.5Exposure of Sensitive Information to an Unauthorized Actor

IDonate 2.0.0 - 2.1.9 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via admin_donor_profile_view Function

Jul 31, 2025 Patched in 2.1.10 (1d)
CVE-2025-32519critical · 9.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

IDonate <= 2.1.9 - Unauthenticated Local File Inclusion

Apr 9, 2025Unpatched
CVE-2024-3594medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

IDonate – blood request management system <= 1.9.1 - Authenticated (Admin+) Stored Cross-Site Scripting

May 1, 2024 Patched in 2.0.0 (132d)
Code Analysis
Analyzed Mar 16, 2026

IDonate – Blood Donation, Request And Donor Management System Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
4 prepared
Unescaped Output
170
1765 escaped
Nonce Checks
36
Capability Checks
18
File Operations
1
External Requests
2
Bundled Libraries
1

Bundled Libraries

DataTables

SQL Query Safety

80% prepared5 total queries

Output Escaping

91% escaped1935 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

14 flows3 with unsanitized paths
donor_popup_views_html (src\Frontend\Manager.php:156)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
15 unprotected

IDonate – Blood Donation, Request And Donor Management System Attack Surface

Entry Points39
Unprotected15

AJAX Handlers 33

authwp_ajax_admin_donor_profile_viewsrc\Admin\Admin.php:82
authwp_ajax_country_to_states_ajaxsrc\Admin\Admin.php:83
noprivwp_ajax_country_to_states_ajaxsrc\Admin\Admin.php:84
authwp_ajax_idonate_country_to_states_ajaxsrc\Admin\Admin.php:85
noprivwp_ajax_idonate_country_to_states_ajaxsrc\Admin\Admin.php:86
authwp_ajax_idonate-get-iconssrc\Admin\Framework\functions\actions.php:50
authwp_ajax_idonate-exportsrc\Admin\Framework\functions\actions.php:85
authwp_ajax_idonate-importsrc\Admin\Framework\functions\actions.php:119
authwp_ajax_idonate-resetsrc\Admin\Framework\functions\actions.php:144
authwp_ajax_idonate-chosensrc\Admin\Framework\functions\actions.php:181
authwp_ajax_idonate-never-show-review-noticesrc\Admin\ReviewNotice\ReviewNotice.php:29
authwp_ajax_themeatelier_dismiss_offer_bannersrc\Admin\ReviewNotice\ThemeAtelier_Offer_Banner.php:38
authwp_ajax_idonate_post_popupsrc\Frontend\Frontend.php:64
noprivwp_ajax_idonate_post_popupsrc\Frontend\Frontend.php:65
authwp_ajax_idonate_post_admin_popup_next_prevsrc\Frontend\Frontend.php:67
noprivwp_ajax_idonate_post_admin_popup_next_prevsrc\Frontend\Frontend.php:68
authwp_ajax_idonate_search_donorssrc\Frontend\Frontend.php:70
noprivwp_ajax_idonate_search_donorssrc\Frontend\Frontend.php:71
authwp_ajax_idonate_search_requestsrc\Frontend\Frontend.php:73
noprivwp_ajax_idonate_search_requestsrc\Frontend\Frontend.php:74
authwp_ajax_idonate_country_to_states_ajaxsrc\Frontend\Frontend.php:76
noprivwp_ajax_idonate_country_to_states_ajaxsrc\Frontend\Frontend.php:77
authwp_ajax_idonate_donor_popupsrc\Helpers\IDonateAjaxHandler.php:33
noprivwp_ajax_idonate_donor_popupsrc\Helpers\IDonateAjaxHandler.php:34
authwp_ajax_idonate_blood_request_popupsrc\Helpers\IDonateAjaxHandler.php:35
noprivwp_ajax_idonate_blood_request_popupsrc\Helpers\IDonateAjaxHandler.php:36
authwp_ajax_panding_donor_actionsrc\Helpers\IDonateAjaxHandler.php:38
noprivwp_ajax_panding_donor_actionsrc\Helpers\IDonateAjaxHandler.php:39
authwp_ajax_panding_blood_request_actionsrc\Helpers\IDonateAjaxHandler.php:41
authwp_ajax_idonate_request_popup_modalsrc\Helpers\IDonateAjaxHandler.php:43
noprivwp_ajax_idonate_request_popup_modalsrc\Helpers\IDonateAjaxHandler.php:44
authwp_ajax_idonate_request_popup_next_prevsrc\Helpers\IDonateAjaxHandler.php:45
noprivwp_ajax_idonate_request_popup_next_prevsrc\Helpers\IDonateAjaxHandler.php:46

Shortcodes 6

[donors] src\Idonate.php:190
[register-donor] src\Idonate.php:191
[donortable] src\Idonate.php:192
[post-blood-request] src\Idonate.php:193
[blood-request] src\Idonate.php:194
[idonate-statistics] src\Idonate.php:195
WordPress Hooks 59
actionactivated_pluginidonate.php:63
actionafter_setup_themesrc\Admin\Admin.php:79
actionadmin_menusrc\Admin\Admin.php:80
actionadmin_post_donor_deletesrc\Admin\Admin.php:81
filtermanage_blood_request_posts_columnssrc\Admin\Admin.php:87
actionmanage_blood_request_posts_custom_columnsrc\Admin\Admin.php:88
filtermanage_edit-blood_request_sortable_columnssrc\Admin\Admin.php:89
actionadmin_footersrc\Admin\appsero\Insights.php:122
actionadmin_noticessrc\Admin\appsero\Insights.php:141
actionadmin_initsrc\Admin\appsero\Insights.php:144
filtercron_schedulessrc\Admin\appsero\Insights.php:150
actionplugins_loadedsrc\Admin\DBUpdates.php:36
actionwp_enqueue_scriptssrc\Admin\Framework\Classes\abstract.class.php:23
actionafter_setup_themesrc\Admin\Framework\Classes\IDONATE.php:82
actioninitsrc\Admin\Framework\Classes\IDONATE.php:83
actionswitch_themesrc\Admin\Framework\Classes\IDONATE.php:84
actionadmin_enqueue_scriptssrc\Admin\Framework\Classes\IDONATE.php:85
actionwp_enqueue_scriptssrc\Admin\Framework\Classes\IDONATE.php:86
actionwp_headsrc\Admin\Framework\Classes\IDONATE.php:87
filteradmin_body_classsrc\Admin\Framework\Classes\IDONATE.php:88
actionadd_meta_boxessrc\Admin\Framework\Classes\IDONATE_Metabox.php:60
actionsave_postsrc\Admin\Framework\Classes\IDONATE_Metabox.php:61
actionedit_attachmentsrc\Admin\Framework\Classes\IDONATE_Metabox.php:62
actionadmin_menusrc\Admin\Framework\Classes\IDONATE_Options.php:114
actionadmin_bar_menusrc\Admin\Framework\Classes\IDONATE_Options.php:115
actionnetwork_admin_menusrc\Admin\Framework\Classes\IDONATE_Options.php:119
filteradmin_footer_textsrc\Admin\Framework\Classes\IDONATE_Options.php:508
actionadmin_initsrc\Admin\Framework\Classes\IDONATE_Taxonomy_Options.php:47
actionadmin_print_footer_scriptssrc\Admin\Framework\fields\link\link.php:67
actionprint_default_editor_scriptssrc\Admin\Framework\fields\wp_editor\wp_editor.php:67
actionadmin_noticessrc\Admin\ReviewNotice\ReviewNotice.php:28
actionadmin_noticessrc\Admin\ReviewNotice\ThemeAtelier_Offer_Banner.php:37
actioninitsrc\Admin\updates\update-2.1.0.php:69
actioninitsrc\Admin\updates\update-2.1.0.php:77
actionwidgets_initsrc\Admin\Views\Statistics.php:112
actionwidgets_initsrc\Admin\Views\WidgetBloodRequiest.php:145
filterquery_varssrc\Frontend\Helpers\RewriteRules.php:27
actiongenerate_rewrite_rulessrc\Frontend\Helpers\RewriteRules.php:29
filtertemplate_includesrc\Frontend\Helpers\Template.php:31
filtersingle_templatesrc\Helpers\helper-functions.php:37
filtertemplate_includesrc\Helpers\helper-functions.php:54
actionlogin_redirectsrc\Helpers\helper-functions.php:346
actionwp_login_failedsrc\Helpers\helper-functions.php:358
actionwp_logoutsrc\Helpers\helper-functions.php:378
actioninitsrc\Helpers\helper-functions.php:460
actionafter_setup_themesrc\Helpers\helper-functions.php:523
actionadmin_footersrc\Helpers\TaT_Donor.php:26
actionadmin_footersrc\Helpers\TaT_Donor.php:27
actionadmin_footersrc\Helpers\TaT_Donor.php:28
actionadmin_footersrc\Helpers\TaT_Donor.php:29
actioninitsrc\Idonate.php:86
filtershow_admin_barsrc\Idonate.php:95
actionwp_loadedsrc\Idonate.php:181
actionwp_enqueue_scriptssrc\Idonate.php:182
actioninitsrc\Idonate.php:208
actionadmin_enqueue_scriptssrc\Idonate.php:209
actionadmin_enqueue_scriptssrc\Idonate.php:210
filterpost_updated_messagessrc\Idonate.php:211
filterterm_updated_messagessrc\Idonate.php:212
Maintenance & Trust

IDonate – Blood Donation, Request And Donor Management System Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 12, 2026
PHP min version7.4
Downloads11K

Community Trust

Rating84/100
Number of ratings5
Active installs90
Alternatives

IDonate – Blood Donation, Request And Donor Management System Alternatives

Medical Before After Gallery

Medical Before After Gallery

medical-before-after-gallery

A
100

A simple before-after image gallery plugin designed for medical professionals and healthcare practices.

30 No CVEs
Latest Canadian Healthcare Jobs sidebar widget

Latest Canadian Healthcare Jobs sidebar widget

latest-canadian-healthcare-jobs-sidebar-widget

A
85

Displays a live map of Canada showing the latest jobs posted on the Hospital.ca medical job listing service

10 No CVEs
DocID

DocID

docid

A
100

The DocID plugin provides functionalities required for a secure and legally compliant authentication of healthcare professionals on your website.

0 No CVEs
Doctor Eve – Wachttijden

Doctor Eve – Wachttijden

doctor-eve-wachttijden

A
100

Display waiting times for medical treatments with a floating button and/or embeddable components via shortcode.

0 No CVEs
GiveWP – Donation Plugin and Fundraising Platform

GiveWP – Donation Plugin and Fundraising Platform

give

B
76

Accept donations and begin fundraising with GiveWP, the highest rated WordPress donation plugin for online giving.

100K 69 CVEs
Developer Profile

IDonate – Blood Donation, Request And Donor Management System Developer Profile

Foysal Imran

7 plugins · 710 total installs

89
trust score
Avg Security Score
93/100
Avg Patch Time
21 days
View full developer profile
Detection Fingerprints

How We Detect IDonate – Blood Donation, Request And Donor Management System

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/idonate/src/Admin/css/idonate-admin.css/wp-content/plugins/idonate/src/Frontend/css/idonate-frontend.css/wp-content/plugins/idonate/src/Frontend/css/donation-form.css/wp-content/plugins/idonate/src/Frontend/css/responsive.css/wp-content/plugins/idonate/src/Frontend/css/bootstrap.min.css/wp-content/plugins/idonate/src/Frontend/css/custom.css/wp-content/plugins/idonate/src/Frontend/css/owl.carousel.min.css/wp-content/plugins/idonate/src/Frontend/css/jquery.dataTables.min.css+22 more
Script Paths
/wp-content/plugins/idonate/src/Admin/appsero/js/appsero-admin-script.js
Version Parameters
idonate/style.css?ver=idonate/script.js?ver=idonate-admin.css?ver=idonate-frontend.css?ver=donation-form.css?ver=responsive.css?ver=bootstrap.min.css?ver=custom.css?ver=owl.carousel.min.css?ver=jquery.dataTables.min.css?ver=jquery.dataTables.css?ver=select2.min.css?ver=sweetalert2.min.css?ver=animate.min.css?ver=jquery.validate.min.js?ver=bootstrap.bundle.min.js?ver=jquery.dataTables.min.js?ver=owl.carousel.min.js?ver=select2.min.js?ver=sweetalert2.min.js?ver=custom.js?ver=donation-form.js?ver=idonate-admin.js?ver=idonate-dashboard.js?ver=idonate-settings.js?ver=idonate-donor-profile.js?ver=idonate-donor-list.js?ver=idonate-blood-request.js?ver=idonate-campaign.js?ver=idonate-donation.js?ver=idonate-settings.js?ver=appsero-admin-script.js?ver=

HTML / DOM Fingerprints

CSS Classes
idonate_page_contentidonate-user-heading-baridoante-user-heading-bar-leftidoante-user-heading-bar-rightidonate-btn-primaryidonate-btn-secondaryidonate-btn-proidonate_pending_list_wrapper+19 more
HTML Comments
<!-- ThemeAtelier_Offer_Banner::instance() --><!-- idonate_metaboxes --><!-- idonate_settings --><!-- Load donor panel template -->+20 more
Data Attributes
data-idonate-country-fielddata-idonate-state-fielddata-idonate-city-fielddata-idonate-country-iddata-idonate-state-iddata-idonate-city-id+10 more
JS Globals
idonate_ajax_objectidonate_donation_script_varsidonate_admin_script_varsidonate_dashboard_script_varsidonate_settings_script_varsidonate_donor_profile_script_vars+4 more
Shortcode Output
<div class="idonate_shortcode_wrapper"><div id="idonate-donation-form-container"><div id="idonate-donor-list-container"><div id="idonate-blood-request-list-container">
FAQ

Frequently Asked Questions about IDonate – Blood Donation, Request And Donor Management System