Cyber Resilience

CVE-2025-7642

Critical

Published: 23 August 2025

Published
23 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0048 65.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7642 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2025-7642 is an authentication bypass vulnerability (CWE-288) in the Simpler Checkout plugin for WordPress, affecting versions 0.7.0 through 1.1.9. The flaw occurs because the plugin does not properly verify a user's identity prior to logging them in as an admin via the simplerwc_woocommerce_order_created() function, published on 2025-08-23 with a CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges or user interaction required. By obtaining an order ID—such as from a test order placed by a site administrator—they can log in as any user associated with that order, potentially gaining administrator access and full control over the site.

Advisories referenced include the plugin's source code at hooks.php line 7 in version 1.1.9 on the WordPress plugin trac and a Wordfence threat intelligence report (ID 02cf0e1a-bd12-44b1-9bc5-1a5ec332b000), which detail the vulnerability for mitigation guidance.

EU & UK References

Vulnerability details

The Simpler Checkout plugin for WordPress is vulnerable to Authentication Bypass in versions 0.7.0 to 1.1.9. This is due to the plugin not properly verifying a user's identity prior to logging them in as an admin through the simplerwc_woocommerce_order_created() function.…

more

This makes it possible for unauthenticated attackers to log in as other users based on their order ID, which can be an administrator if a site admin has placed a test order.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Authentication bypass in public-facing WordPress plugin enables remote unauthenticated admin login via valid accounts (order ID abuse).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25357Shared CWE-288
CVE-2025-1061Shared CWE-288
CVE-2025-6895Shared CWE-288
CVE-2025-23504Shared CWE-288
CVE-2026-29139Shared CWE-288
CVE-2025-1564Shared CWE-288
CVE-2025-8359Shared CWE-288
CVE-2026-27389Shared CWE-288
CVE-2025-7710Shared CWE-288
CVE-2026-27049Shared CWE-288

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates unique identification and authentication of users prior to granting access, directly addressing the plugin's failure to verify identity before logging in as an admin via order ID.

prevent

Enforces approved authorizations for logical access, preventing unauthenticated attackers from bypassing authentication to gain administrator privileges using order IDs.

prevent

Requires timely identification, reporting, and correction of software flaws like this authentication bypass in the Simpler Checkout plugin.

References