CVE-2025-6187 is a critical security vulnerability affecting the bSecure – Your Universal Checkout WordPress plugin, versions 1.3.7 through 1.7.9. The vulnerability arises from a missing authorization check in the plugin's REST API endpoint /webhook/v2/order_info/. Specifically, the endpoint's permission_callback function is improperly implemented to always return true, effectively bypassing any authentication or authorization controls. This flaw allows unauthenticated attackers who know any user's email address to invoke this endpoint and obtain a valid login cookie for that user. Consequently, the attacker can fully impersonate the targeted user account, gaining access to all privileges and data associated with that account. The vulnerability is classified under CWE-862 (Missing Authorization) and has been assigned a CVSS v3.1 base score of 9.8, indicating critical severity. The attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality, integrity, and availability to a high degree (C:H/I:H/A:H). Although no known exploits are currently reported in the wild, the ease of exploitation and the severity of impact make this a highly urgent issue for affected organizations. The vulnerability could be leveraged for account takeover, data theft, fraudulent transactions, or further lateral movement within compromised WordPress environments using the bSecure plugin.

For European organizations, the impact of this vulnerability can be severe. Many European businesses rely on WordPress for e-commerce and customer engagement, and the bSecure plugin is designed to facilitate universal checkout processes. An attacker exploiting this flaw could impersonate legitimate users, including customers or administrators, leading to unauthorized access to sensitive personal data protected under GDPR, financial information, and order histories. This could result in significant data breaches, financial fraud, reputational damage, and regulatory penalties. The ability to fully impersonate accounts without authentication also opens the door to further attacks such as privilege escalation, injection of malicious orders, or disruption of business operations. Given the critical nature of the vulnerability and the widespread use of WordPress in Europe, organizations face a high risk of compromise if they use affected plugin versions and do not apply mitigations promptly.

Immediate mitigation steps include upgrading the bSecure plugin to a patched version once released by the vendor. Until a patch is available, organizations should consider disabling the bSecure plugin or restricting access to the vulnerable REST endpoint via web application firewall (WAF) rules or server-level access controls to block unauthenticated requests to /webhook/v2/order_info/. Additionally, monitoring web server logs for suspicious access patterns to this endpoint and unusual login cookie generation can help detect exploitation attempts. Organizations should also enforce strong password policies and multi-factor authentication (MFA) for WordPress accounts to reduce the impact of potential account takeovers. Conducting a thorough audit of user accounts and sessions after patching is recommended to identify any unauthorized access. Finally, organizations should maintain an incident response plan tailored to WordPress environments to quickly respond to exploitation attempts.