CVE-2025-9209
Published: 03 October 2025
Summary
CVE-2025-9209 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly controls access to and protects sensitive user private tokens and API data exposed via the publicly accessible /wp-json/wp/v2/users REST API endpoint.
Mandates management and protection of authenticators, including private JWT tokens, to prevent their exposure and subsequent forgery by unauthenticated attackers.
Requires filtering and controlling system outputs, such as REST API responses, to block unauthorized disclosure of sensitive token data.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables exploitation of a public-facing WordPress REST API endpoint (T1190) to expose data allowing attackers to forge JWTs for user impersonation (T1606).
NVD Description
The RestroPress – Online Food Ordering System plugin for WordPress is vulnerable to Authentication Bypass in versions 3.0.0 to 3.1.9.2. This is due to the plugin exposing user private tokens and API data via the /wp-json/wp/v2/users REST API endpoint. This…
more
makes it possible for unauthenticated attackers to forge JWT tokens for other users, including administrators, and authenticate as them.
Deeper analysisAI
CVE-2025-9209 is an authentication bypass vulnerability affecting the RestroPress – Online Food Ordering System plugin for WordPress, in versions 3.0.0 through 3.1.9.2. The issue stems from the plugin exposing user private tokens and API data via the /wp-json/wp/v2/users REST API endpoint, enabling unauthenticated attackers to forge JSON Web Tokens (JWT) for any user, including administrators. It has been assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), published on 2025-10-03.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required. By accessing the exposed endpoint, they retrieve sensitive token data to craft valid JWTs impersonating other users, gaining full access to their accounts. This allows arbitrary administrative actions, such as modifying site content, user privileges, or plugin configurations, potentially leading to complete site compromise.
Advisories from Wordfence and the plugin's WordPress.org page provide details on the vulnerability, including references for further analysis at https://www.wordfence.com/threat-intel/vulnerabilities/id/359833dd-de3c-48ea-8eef-06588a590da2?source=cve and https://wordpress.org/plugins/restropress/. Security practitioners should review these for patch availability and update affected installations to mitigate the risk.
Details
- CWE(s)