CVE-2025-6214 is a CSRF vulnerability identified in the Omnishop plugin for WordPress, which complements WooCommerce webshops by providing mobile shop app functionality. The vulnerability resides in the /users/delete REST API endpoint, which is intended to allow deletion of user accounts. The endpoint's permission_callback only verifies that the requester is logged in, without requiring a nonce or other anti-CSRF tokens to confirm the user's intent. This design flaw enables an attacker to craft a malicious web page or email containing a forged request that, when visited or clicked by an authenticated site administrator, triggers the deletion of arbitrary user accounts without their explicit consent. The vulnerability affects all versions of Omnishop up to and including 1.0.9. The CVSS 3.1 base score is 6.5, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), no confidentiality impact (C:N), high integrity impact (I:H), and no availability impact (A:N). Although no public exploits have been reported, the vulnerability poses a significant risk to the integrity of user data and administrative control within affected WooCommerce webshops. The lack of nonce or CSRF token validation is a critical oversight in the REST route's security design, making it susceptible to social engineering attacks targeting logged-in administrators.

The primary impact of this vulnerability is on the integrity of user accounts within WooCommerce webshops using the Omnishop plugin. Successful exploitation allows attackers to delete arbitrary user accounts, potentially including administrators or privileged users, which can disrupt business operations and lead to loss of administrative control. While confidentiality and availability are not directly affected, the deletion of user accounts can cause significant operational disruption and loss of trust. Organizations relying on Omnishop for mobile shop app integration face risks of unauthorized account deletions, which could lead to customer dissatisfaction, loss of sales, and reputational damage. The attack requires user interaction (an administrator clicking a malicious link), so social engineering is a key factor. The vulnerability's network attack vector and lack of required privileges increase the risk of exploitation in environments where administrators access the webshop from untrusted networks or devices. Although no known exploits exist yet, the vulnerability is likely to attract attackers due to the potential for administrative disruption.

To mitigate this vulnerability, organizations should immediately implement the following measures: 1) Update the Omnishop plugin to a patched version once available that includes proper nonce or anti-CSRF token validation on the /users/delete REST route. 2) In the interim, restrict access to the REST API endpoints by limiting administrative access to trusted networks or VPNs. 3) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious POST requests to the /users/delete endpoint originating from external or untrusted sources. 4) Educate administrators about the risks of clicking unknown or suspicious links, especially when logged into the webshop backend. 5) Monitor logs for unusual user deletion activity and implement alerting for unexpected account deletions. 6) Consider implementing multi-factor authentication (MFA) for administrative accounts to reduce the risk of session hijacking or unauthorized access. 7) Review and harden REST API permissions and callbacks to ensure all sensitive actions require explicit proof of intent such as nonces or tokens. These steps will reduce the attack surface and help prevent exploitation until a vendor patch is released.