CVE-2025-6214

Name of the Vulnerable Software and Affected Versions Omnishop versions up to and including 1.0.9

Description The Omnishop plugin for WordPress is susceptible to Cross-Site Request Forgery on its /users/delete REST route. The route’s permission callback only verifies that the requester is logged in, but does not require a nonce or other proof of intent. This allows unauthenticated attackers to delete arbitrary user accounts via a forged request if they can trick a site administrator into performing an action, such as clicking a link.

Recommendations Update Omnishop to a version later than 1.0.9.