CVE-2025-9209
Published: 03 October 2025
Summary
CVE-2025-9209 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and IA-5 (Authenticator Management).
Deeper analysis
The RestroPress – Online Food Ordering System plugin for WordPress is vulnerable to authentication bypass in versions 3.0.0 to 3.1.9.2. The issue arises because the plugin exposes user private tokens and API data via the /wp-json/wp/v2/users REST API endpoint, allowing the creation of forged JWT tokens.
Unauthenticated attackers can exploit the flaw to impersonate any user on the site, including administrators, and thereby gain full access to associated accounts and functionality. The vulnerability carries a CVSS score of 9.8.
The EPSS score rose from a low starting point to a peak of 0.2355 on 2026-05-20 before receding to the current value of 0.0962, indicating that exploitation interest emerged after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-32531
Vulnerability details
The RestroPress – Online Food Ordering System plugin for WordPress is vulnerable to Authentication Bypass in versions 3.0.0 to 3.1.9.2. This is due to the plugin exposing user private tokens and API data via the /wp-json/wp/v2/users REST API endpoint. This…
more
makes it possible for unauthenticated attackers to forge JWT tokens for other users, including administrators, and authenticate as them.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables exploitation of a public-facing WordPress REST API endpoint (T1190) to expose data allowing attackers to forge JWTs for user impersonation (T1606).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly controls access to and protects sensitive user private tokens and API data exposed via the publicly accessible /wp-json/wp/v2/users REST API endpoint.
Mandates management and protection of authenticators, including private JWT tokens, to prevent their exposure and subsequent forgery by unauthenticated attackers.
Requires filtering and controlling system outputs, such as REST API responses, to block unauthorized disclosure of sensitive token data.