CVE-2025-6187

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions bSecure plugin for WordPress versions 1.3.7 through 1.7.9

Description The plugin is susceptible to privilege escalation due to a missing authorization check within the order info REST endpoint. The /webhook/v2/order info/ route’s permission callback consistently returns true, bypassing authentication. This allows unauthenticated attackers with knowledge of a user’s email address to obtain a valid login cookie and impersonate that account.

Recommendations Update to a version of the bSecure plugin for WordPress newer than 1.7.9.

Fix

LPE

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2025-6187

Affected Products

Bsecure

CVE-2025-6187

Weakness Enumeration

Related Identifiers

Affected Products

References · 11