CVE-2025-6215 is a Missing Authorization vulnerability (CWE-862) found in the Omnishop plugin for WordPress, which integrates mobile shop apps with WooCommerce webshops. The vulnerability exists because the /users/register REST API endpoint is publicly accessible and its permission_callback function always returns true, effectively disabling any authorization checks. When this endpoint is called, it invokes the WordPress function wp_create_user() without validating whether user registration is allowed on the site, ignoring the users_can_register option. Additionally, the endpoint does not enforce nonce verification or CAPTCHA challenges, which are common protections against automated or unauthorized registrations. As a result, unauthenticated attackers can create arbitrary user accounts with the 'customer' role on affected sites, even if registrations are supposed to be closed. This can lead to unauthorized access, abuse of user privileges, or facilitate further attacks such as spam, phishing, or privilege escalation if combined with other vulnerabilities. The vulnerability affects all versions of Omnishop up to and including 1.0.9 and was publicly disclosed on July 23, 2025. The CVSS v3.1 base score is 5.3, reflecting medium severity, with an attack vector of network, low attack complexity, no privileges required, and no user interaction needed. No known exploits have been reported in the wild as of the publication date.

The primary impact of this vulnerability is unauthorized user account creation on WordPress sites using the vulnerable Omnishop plugin. This can undermine site security by allowing attackers to register accounts even when registrations are disabled, potentially enabling spam, fraudulent transactions, or abuse of customer privileges. While the created accounts have the 'customer' role, which typically has limited permissions, attackers can use these accounts as a foothold for social engineering, phishing, or to probe for additional vulnerabilities. In e-commerce environments, unauthorized accounts may be used to manipulate reviews, place fraudulent orders, or disrupt business operations. The vulnerability does not directly allow data disclosure or site takeover but can facilitate further attacks if combined with other weaknesses. Organizations worldwide using Omnishop with WooCommerce are at risk, especially those that rely on closed registration policies to control user access. The ease of exploitation and lack of authentication requirements increase the likelihood of automated abuse, impacting site integrity and user trust.

To mitigate CVE-2025-6215, organizations should immediately update the Omnishop plugin to a patched version once released by the vendor. Until a patch is available, administrators can implement the following specific measures: 1) Disable or restrict access to the /users/register REST API endpoint via web application firewalls (WAF) or custom server rules to block unauthenticated requests. 2) Implement additional access controls or authentication requirements on the registration endpoint using WordPress hooks or plugins that enforce nonce verification and CAPTCHA challenges. 3) Monitor user registrations closely for suspicious activity and implement rate limiting to reduce automated abuse. 4) Review and harden user role permissions to minimize the impact of unauthorized accounts. 5) Consider temporarily disabling the Omnishop plugin if registration control is critical and no immediate patch is available. 6) Employ security plugins that can detect and block unauthorized REST API calls. These targeted mitigations go beyond generic advice by focusing on controlling the vulnerable endpoint and enhancing registration security until an official fix is deployed.