CVE-2025-6187 is a critical security vulnerability affecting the bSecure – Your Universal Checkout plugin for WordPress, specifically versions 1.3.7 through 1.7.9. The vulnerability stems from a missing authorization check on the REST API endpoint /webhook/v2/order_info/. The plugin registers this route with a permission_callback function that always returns true, effectively disabling any authentication or authorization enforcement. As a result, any unauthenticated attacker who knows a valid user's email address can invoke this endpoint to retrieve a valid login cookie. This cookie allows the attacker to fully impersonate the targeted user account, leading to privilege escalation. The vulnerability is classified under CWE-862 (Missing Authorization) and has a CVSS v3.1 base score of 9.8, reflecting its critical severity. The attack vector is network-based (remote), requires no privileges or user interaction, and impacts confidentiality, integrity, and availability of the affected systems. This flaw enables attackers to bypass all authentication mechanisms, potentially compromising sensitive order and user data, modifying orders, or conducting fraudulent transactions. Although no known exploits are currently reported in the wild, the simplicity of exploitation and the high impact make this a significant threat to WordPress sites using the affected plugin versions.

The impact of CVE-2025-6187 is severe for organizations using the vulnerable bSecure plugin on their WordPress sites. Attackers can fully impersonate any user account by exploiting the missing authorization, leading to unauthorized access to sensitive customer and order information. This can result in data breaches exposing personally identifiable information (PII), financial fraud through manipulation of orders or checkout processes, and loss of customer trust. The integrity of order data can be compromised, enabling attackers to alter or cancel orders. Availability may also be affected if attackers disrupt normal operations or lock out legitimate users. For e-commerce businesses, this vulnerability can cause direct financial losses and regulatory compliance violations, especially under data protection laws like GDPR or CCPA. The ease of exploitation without authentication or user interaction increases the likelihood of automated attacks and widespread abuse. Organizations worldwide relying on this plugin face risks of reputational damage, operational disruption, and potential legal consequences.

To mitigate CVE-2025-6187, organizations should immediately update the bSecure plugin to a patched version once released by the vendor. Until a patch is available, administrators should consider disabling the vulnerable REST endpoint /webhook/v2/order_info/ via custom code or firewall rules to block unauthenticated access. Implementing Web Application Firewall (WAF) rules to restrict access to the REST API endpoints only to trusted IP addresses or authenticated users can reduce exposure. Monitoring web server and WordPress logs for suspicious access patterns targeting the order_info endpoint is recommended. Enforce strong email verification and multi-factor authentication (MFA) on user accounts to limit the impact of stolen login cookies. Regularly audit user accounts and session tokens for anomalies. Additionally, organizations should review and tighten REST API permissions in WordPress, ensuring that permission callbacks properly validate user authorization. Conducting penetration testing and vulnerability scanning focused on REST API endpoints can help identify similar authorization issues proactively.