CVE-2025-6214 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Omnishop WordPress plugin, which complements WooCommerce webshops by providing mobile shop apps. The vulnerability exists in the /users/delete REST API endpoint, present in all versions up to and including 1.0.9. The core issue lies in the permission_callback implementation, which only verifies that the requester is logged in but does not require any nonce or other proof of intent to validate the request's legitimacy. This design flaw allows an attacker to craft a malicious request that, if executed by an authenticated administrator (or any user with sufficient privileges), can delete arbitrary user accounts without their explicit consent. The attack vector requires the attacker to trick a logged-in administrator into clicking a malicious link or visiting a crafted webpage, which then silently triggers the deletion request. The vulnerability does not impact confidentiality or availability directly but severely impacts integrity by allowing unauthorized deletion of user accounts. The CVSS v3.1 base score is 6.5 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required for the attacker, but user interaction is necessary. No known exploits are currently reported in the wild, and no official patches have been linked yet. This vulnerability is significant because it targets a popular e-commerce plugin integrated with WooCommerce, widely used in WordPress-based online shops, potentially disrupting user management and causing operational issues for affected sites.

For European organizations operating WooCommerce webshops using the Omnishop plugin, this vulnerability poses a risk of unauthorized user account deletions, which can disrupt business operations, customer management, and trust. The deletion of user accounts could lead to loss of customer data, interruption of order processing, and potential reputational damage. Since the vulnerability requires an administrator to be tricked into clicking a malicious link, targeted phishing campaigns could be used against European e-commerce administrators. This could be particularly impactful for small to medium-sized enterprises (SMEs) that may lack advanced security awareness or mitigation controls. Additionally, GDPR compliance could be affected if user data is improperly deleted or manipulated without proper authorization, leading to potential regulatory scrutiny. The vulnerability does not directly expose sensitive data but compromises the integrity of user management, which is critical for maintaining secure e-commerce operations.

1. Immediate mitigation should include restricting access to the /users/delete REST endpoint by implementing strict nonce verification or other anti-CSRF tokens to ensure proof of intent for sensitive actions. 2. Administrators should be trained to recognize and avoid phishing attempts that could trick them into clicking malicious links. 3. Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable endpoint. 4. Limit administrator privileges and consider using multi-factor authentication (MFA) to reduce the risk of compromised admin sessions. 5. Monitor logs for unusual user deletion activities and set up alerts for unexpected REST API calls to the /users/delete route. 6. Regularly update the Omnishop plugin once a patch is released; meanwhile, consider disabling or restricting the plugin if feasible. 7. Employ Content Security Policy (CSP) headers to reduce the risk of malicious script execution that could facilitate CSRF attacks. 8. Conduct periodic security audits of WordPress plugins and REST API endpoints to identify and remediate similar vulnerabilities proactively.