CVE-2025-6187
Published: 22 July 2025
Summary
CVE-2025-6187 is a critical-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates enforcement of approved authorizations on system resources, directly addressing the missing authorization checks in the vulnerable REST endpoint that allow unauthenticated access.
Requires proper management of authenticators like login cookies to prevent their unauthorized issuance based solely on an email address without authentication.
Enforces least privilege to limit the scope of damage from privilege escalation even if initial access enforcement fails.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated exploitation of public WordPress REST endpoint (T1190) to obtain valid session cookies enabling account impersonation (T1078 + T1550.004).
NVD Description
The bSecure plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its order_info REST endpoint in versions 1.3.7 through 1.7.9. The plugin registers the /webhook/v2/order_info/ route with a permission_callback that always returns true, effectively bypassing all…
more
authentication. This makes it possible for unauthenticated attackers who know any user’s email to obtain a valid login cookie and fully impersonate that account.
Deeper analysisAI
CVE-2025-6187 is a privilege escalation vulnerability in the bSecure plugin for WordPress, affecting versions 1.3.7 through 1.7.9. The issue stems from missing authorization checks in the plugin's order_info REST endpoint, specifically the /webhook/v2/order_info/ route. This route is registered with a permission_callback that always returns true, bypassing all authentication requirements. The vulnerability is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-862 (Missing Authorization).
Unauthenticated attackers can exploit this vulnerability if they know any user's email address. By sending a request to the vulnerable endpoint with the target's email, attackers can obtain a valid login cookie for that user account, enabling full impersonation. This grants complete access to the victim's privileges, potentially allowing arbitrary actions such as data theft, account takeover, or further compromise of the WordPress site.
References provided include source code excerpts from the bSecure plugin's class-bsecure-checkout.php and class-wc-bsecure.php files in version 1.7.9, the plugin's WordPress.org developers page, and a Wordfence threat intelligence report on the vulnerability. Security practitioners should review these resources for code analysis and advisory details on mitigation, such as updating to a patched version if available.
Details
- CWE(s)