CVE-2025-6215: CWE-862 Missing Authorization in omnishop Omnishop – Mobile shop apps complementing your WooCommerce webshop
The Omnishop plugin for WordPress is vulnerable to Unauthenticated Registration Bypass in all versions up to, and including, 1.0.9. Its /users/register endpoint is exposed to the public (permission_callback always returns true) and invokes wp_create_user() unconditionally, ignoring the site’s users_can_register option and any nonce or CAPTCHA checks. This makes it possible for unauthenticated attackers to create arbitrary user accounts (customer) on sites where registrations should be closed.
AI Analysis
Technical Summary
CVE-2025-6215 is a Missing Authorization vulnerability (CWE-862) in the Omnishop plugin for WordPress, affecting all versions up to 1.0.9. The plugin's /users/register endpoint publicly exposes user registration functionality without proper permission checks, as the permission_callback always returns true. It calls wp_create_user() unconditionally, bypassing the users_can_register option and any nonce or CAPTCHA verification. This flaw enables unauthenticated attackers to create arbitrary customer accounts on affected sites.
Potential Impact
The vulnerability allows attackers to bypass intended registration restrictions and create unauthorized user accounts. While it does not directly disclose sensitive data or allow privilege escalation, it can lead to unauthorized access as a customer-level user, potentially facilitating further abuse or fraud on the affected WooCommerce webshop.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider disabling or restricting access to the /users/register endpoint or implementing custom authorization checks to prevent unauthorized registrations.
CVE-2025-6215: CWE-862 Missing Authorization in omnishop Omnishop – Mobile shop apps complementing your WooCommerce webshop
Description
The Omnishop plugin for WordPress is vulnerable to Unauthenticated Registration Bypass in all versions up to, and including, 1.0.9. Its /users/register endpoint is exposed to the public (permission_callback always returns true) and invokes wp_create_user() unconditionally, ignoring the site’s users_can_register option and any nonce or CAPTCHA checks. This makes it possible for unauthenticated attackers to create arbitrary user accounts (customer) on sites where registrations should be closed.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-6215 is a Missing Authorization vulnerability (CWE-862) in the Omnishop plugin for WordPress, affecting all versions up to 1.0.9. The plugin's /users/register endpoint publicly exposes user registration functionality without proper permission checks, as the permission_callback always returns true. It calls wp_create_user() unconditionally, bypassing the users_can_register option and any nonce or CAPTCHA verification. This flaw enables unauthenticated attackers to create arbitrary customer accounts on affected sites.
Potential Impact
The vulnerability allows attackers to bypass intended registration restrictions and create unauthorized user accounts. While it does not directly disclose sensitive data or allow privilege escalation, it can lead to unauthorized access as a customer-level user, potentially facilitating further abuse or fraud on the affected WooCommerce webshop.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider disabling or restricting access to the /users/register endpoint or implementing custom authorization checks to prevent unauthorized registrations.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-06-17T21:45:34.183Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68804d50ad5a09ad00065fe5
Added to database: 7/23/2025, 2:47:44 AM
Last enriched: 4/9/2026, 9:39:18 PM
Last updated: 5/9/2026, 4:30:15 PM
Views: 145
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.