216.73.217.64

CVE-2025-6214

· Published 23/07/2025 03:15 · Modified 23/07/2025 03:15

Labels: CVE-2025-6214 2025-07-23CVE-2025-6214CWE-352[email protected]

Essential information

Published
23/07/2025 03:15
Modified
23/07/2025 03:15
Author
Creator
CVSS
6.5 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CVSS metrics

Description

The Omnishop plugin for WordPress is vulnerable to Cross-Site Request Forgery on its /users/delete REST route in all versions up to, and including, 1.0.9. The route’s permission_callback only verifies that the requester is logged in, but fails to require any nonce or other proof of intent. This makes it possible for unauthenticated attackers to delete arbitrary user accounts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
wordpress / omnishop plugin cpe:2.3:a:wordpress:omnishop_plugin:*:*:*:*:*:wordpress:*:*

References