CVE-2025-6215 is a medium-severity vulnerability affecting the Omnishop plugin for WordPress, which complements WooCommerce webshops by providing mobile shop app functionality. The vulnerability is classified under CWE-862 (Missing Authorization) and impacts all versions up to and including 1.0.9. The core issue lies in the /users/register endpoint of the plugin, where the permission_callback function always returns true, effectively exposing this endpoint to unauthenticated public access. This endpoint calls the WordPress function wp_create_user() without any conditional checks, ignoring the site's users_can_register setting as well as any nonce or CAPTCHA protections that would normally prevent unauthorized registrations. As a result, an unauthenticated attacker can create arbitrary user accounts with the 'customer' role on affected sites even if user registration is supposed to be disabled. This bypasses intended access controls and can lead to unauthorized account creation, potentially facilitating further malicious activities such as spam, fraudulent transactions, or privilege escalation attempts if combined with other vulnerabilities. The CVSS 3.1 base score is 5.3, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact is limited to integrity (unauthorized account creation) without direct confidentiality or availability effects. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that mitigation may require vendor updates or manual intervention.

For European organizations using the Omnishop plugin integrated with WooCommerce, this vulnerability poses a risk of unauthorized user registrations that can undermine the integrity of their e-commerce platforms. Attackers could create multiple fake customer accounts, potentially leading to fraudulent orders, abuse of promotional offers, or manipulation of customer data. This could erode customer trust and damage brand reputation. Additionally, unauthorized accounts might be leveraged as footholds for further attacks, such as social engineering or privilege escalation if other vulnerabilities exist. Since WooCommerce is widely used across Europe, especially by small and medium-sized enterprises (SMEs) operating online shops, the risk is significant for businesses relying on Omnishop for mobile app integration. The lack of authentication and bypass of registration controls could also complicate compliance with European data protection regulations like GDPR, as unauthorized accounts may lead to improper handling of personal data. However, the absence of direct confidentiality or availability impact limits the scope of damage to integrity and operational trust.

European organizations should immediately audit their WordPress installations to identify the presence of the Omnishop plugin and verify the version in use. Until an official patch is released, administrators should consider disabling the Omnishop plugin or restricting access to the /users/register endpoint via web application firewall (WAF) rules or server-level access controls to prevent unauthenticated registrations. Implementing additional CAPTCHA or multi-factor verification at the registration endpoint, if possible, can help mitigate automated abuse. Monitoring user registration logs for unusual spikes or suspicious account creation patterns is advisable. Organizations should also review their user management policies and consider manual verification of new accounts during this period. Promptly applying vendor patches once available is critical. Additionally, security teams should conduct penetration testing focused on user registration flows to identify any other authorization weaknesses. Finally, updating WordPress core and WooCommerce to the latest versions can reduce the risk of chained exploits.