CVE-2025-6215
BaseFortify
Publication date: 2025-07-23
Last updated on: 2025-07-25
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | omnishop | 1.0.9 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Omnishop plugin for WordPress has a vulnerability in its /users/register endpoint that allows unauthenticated attackers to create user accounts without any restrictions. This happens because the endpoint's permission check always returns true and it calls wp_create_user() without verifying if user registration is allowed or performing any nonce or CAPTCHA checks. As a result, attackers can bypass normal registration controls and create arbitrary customer accounts even when registrations should be closed.
How can this vulnerability impact me? :
This vulnerability allows attackers to create unauthorized user accounts on a WordPress site using the Omnishop plugin. This can lead to unauthorized access, potential abuse of user privileges, spam accounts, and could undermine the integrity of the site's user base. Although it does not directly impact confidentiality or availability, it can lead to integrity issues by allowing attackers to inject arbitrary users.