平台
wordpress
组件
bsecure
修复版本
1.7.10
CVE-2025-6187 is a critical Privilege Escalation vulnerability affecting the bSecure WordPress plugin. An attacker can exploit this flaw to gain unauthorized access to user accounts by bypassing authentication checks within the plugin's order_info REST endpoint. This vulnerability impacts versions 1.3.7 through 1.7.9 of the bSecure plugin, and a patch has been released to address the issue.
The bSecure WordPress plugin is vulnerable to a critical Privilege Escalation vulnerability (CVE-2025-6187) allowing unauthenticated attackers to take control of user accounts. The vulnerability lies within the /webhook/v2/order_info/ REST endpoint, where the permission callback always returns true, effectively bypassing all authentication checks. This means an attacker, knowing a user’s email address, can obtain a valid login cookie and therefore impersonate that user, accessing sensitive information and performing actions on their behalf. The impact is severe, compromising user account security and website data integrity. Affected versions are 1.3.7 through 1.7.9. Currently, no official fix is available.
An attacker could exploit this vulnerability by sending HTTP requests to the /webhook/v2/order_info/ endpoint with a WordPress user's email address. The lack of authentication allows the attacker to obtain sensitive account information, including personal data, order history, and potentially payment information. This information can be used for identity theft, financial fraud, or to further compromise the website's security. The ease of exploitation, combined with the severity of the impact, makes this vulnerability a significant risk for websites using the bSecure plugin.
漏洞利用状态
EPSS
0.56% (68% 百分位)
CISA SSVC
CVSS 向量
Given the lack of an official fix, the most effective immediate mitigation is to disable the bSecure plugin until the developer releases an update. If maintaining the plugin is absolutely necessary, strongly consider implementing additional security measures, such as restricting access to the /webhook/v2/order_info/ endpoint through a Web Application Firewall (WAF) or server-side firewall rules. Furthermore, review and strengthen password policies, enable two-factor authentication (2FA) for all users, and monitor the website for signs of compromise. Contacting the plugin developer to request an update is highly recommended.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
漏洞分析和关键警报直接发送到您的邮箱。
It's a unique identifier for this specific vulnerability, used to track and reference it in security reports.
Disable the plugin immediately until an update is available. Consider using an alternative plugin.
Implement additional security measures such as a WAF, firewall rules, and two-factor authentication.
Currently, there is no official workaround. The most effective mitigation is plugin deactivation.
Monitor website activity, review access logs, and look for any unusual activity.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。