CVE-2025-6187
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-07-22
Last updated on: 2025-07-22
Assigner: Wordfence
Description
Description
The bSecure plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its order_info REST endpoint in versions 1.3.7 through 1.7.9. The plugin registers the /webhook/v2/order_info/ route with a permission_callback that always returns true, effectively bypassing all authentication. This makes it possible for unauthenticated attackers who know any userβs email to obtain a valid login cookie and fully impersonate that account.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wordpress | * |
| woocommerce | woocommerce | * |
| bsecuretech | bsecure | 1.7.9 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The bSecure plugin for WordPress has a vulnerability in its order_info REST endpoint where the permission check always returns true, allowing unauthenticated attackers who know any user's email to bypass authentication and obtain a valid login cookie to fully impersonate that user.
How can this vulnerability impact me? :
This vulnerability can allow attackers to fully impersonate any user by obtaining their login cookie without authentication, potentially leading to unauthorized access to user accounts, data theft, and full control over affected accounts.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70