Platform
wordpress
Component
bsecure
Fixed in
1.7.10
CVE-2025-6187 is a critical Privilege Escalation vulnerability affecting the bSecure WordPress plugin. An attacker can exploit this flaw to gain unauthorized access to user accounts by bypassing authentication checks within the plugin's order_info REST endpoint. This vulnerability impacts versions 1.3.7 through 1.7.9 of the bSecure plugin, and a patch has been released to address the issue.
The bSecure WordPress plugin is vulnerable to a critical Privilege Escalation vulnerability (CVE-2025-6187) allowing unauthenticated attackers to take control of user accounts. The vulnerability lies within the /webhook/v2/order_info/ REST endpoint, where the permission callback always returns true, effectively bypassing all authentication checks. This means an attacker, knowing a user’s email address, can obtain a valid login cookie and therefore impersonate that user, accessing sensitive information and performing actions on their behalf. The impact is severe, compromising user account security and website data integrity. Affected versions are 1.3.7 through 1.7.9. Currently, no official fix is available.
An attacker could exploit this vulnerability by sending HTTP requests to the /webhook/v2/order_info/ endpoint with a WordPress user's email address. The lack of authentication allows the attacker to obtain sensitive account information, including personal data, order history, and potentially payment information. This information can be used for identity theft, financial fraud, or to further compromise the website's security. The ease of exploitation, combined with the severity of the impact, makes this vulnerability a significant risk for websites using the bSecure plugin.
Exploit Status
EPSS
0.56% (68% percentile)
CISA SSVC
CVSS Vector
Given the lack of an official fix, the most effective immediate mitigation is to disable the bSecure plugin until the developer releases an update. If maintaining the plugin is absolutely necessary, strongly consider implementing additional security measures, such as restricting access to the /webhook/v2/order_info/ endpoint through a Web Application Firewall (WAF) or server-side firewall rules. Furthermore, review and strengthen password policies, enable two-factor authentication (2FA) for all users, and monitor the website for signs of compromise. Contacting the plugin developer to request an update is highly recommended.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
It's a unique identifier for this specific vulnerability, used to track and reference it in security reports.
Disable the plugin immediately until an update is available. Consider using an alternative plugin.
Implement additional security measures such as a WAF, firewall rules, and two-factor authentication.
Currently, there is no official workaround. The most effective mitigation is plugin deactivation.
Monitor website activity, review access logs, and look for any unusual activity.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.