Cyber Resilience

CVE-2025-9209

Critical

Published: 03 October 2025

Published
03 October 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0962 93.1th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9209 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and IA-5 (Authenticator Management).

Deeper analysis

The RestroPress – Online Food Ordering System plugin for WordPress is vulnerable to authentication bypass in versions 3.0.0 to 3.1.9.2. The issue arises because the plugin exposes user private tokens and API data via the /wp-json/wp/v2/users REST API endpoint, allowing the creation of forged JWT tokens.

Unauthenticated attackers can exploit the flaw to impersonate any user on the site, including administrators, and thereby gain full access to associated accounts and functionality. The vulnerability carries a CVSS score of 9.8.

The EPSS score rose from a low starting point to a peak of 0.2355 on 2026-05-20 before receding to the current value of 0.0962, indicating that exploitation interest emerged after disclosure.

EU & UK References

Vulnerability details

The RestroPress – Online Food Ordering System plugin for WordPress is vulnerable to Authentication Bypass in versions 3.0.0 to 3.1.9.2. This is due to the plugin exposing user private tokens and API data via the /wp-json/wp/v2/users REST API endpoint. This…

more

makes it possible for unauthenticated attackers to forge JWT tokens for other users, including administrators, and authenticate as them.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1606 Forge Web Credentials Credential Access
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.
Why these techniques?

The vulnerability enables exploitation of a public-facing WordPress REST API endpoint (T1190) to expose data allowing attackers to forge JWTs for user impersonation (T1606).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13796Shared CWE-200
CVE-2025-25975Shared CWE-200
CVE-2024-12142Shared CWE-200
CVE-2025-25951Shared CWE-200
CVE-2026-34297Shared CWE-200
CVE-2024-26480Shared CWE-200
CVE-2026-24498Shared CWE-200
CVE-2025-22828Shared CWE-200
CVE-2026-23659Shared CWE-200
CVE-2024-11282Shared CWE-200

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly controls access to and protects sensitive user private tokens and API data exposed via the publicly accessible /wp-json/wp/v2/users REST API endpoint.

prevent

Mandates management and protection of authenticators, including private JWT tokens, to prevent their exposure and subsequent forgery by unauthenticated attackers.

prevent

Requires filtering and controlling system outputs, such as REST API responses, to block unauthorized disclosure of sensitive token data.

References