The CVE-2025-6721 vulnerability affects the bandido MORKVA Vchasno Kasa Integration plugin for WordPress, specifically all versions up to and including 1.0.3. The root cause is a missing capability check in the function mrkv_vchasno_kasa_wc_do_metabox_action(), which is responsible for handling metabox actions related to invoice generation. Because the plugin fails to verify whether the requester is authorized, unauthenticated attackers can invoke this function to generate invoices for arbitrary orders without any authentication or user interaction. This vulnerability is classified under CWE-862 (Missing Authorization), indicating that the system does not properly enforce access control policies. The CVSS 3.1 base score is 5.3, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, meaning the attack can be performed remotely over the network with low attack complexity, no privileges, and no user interaction, but it only results in limited confidentiality impact (unauthorized invoice data exposure) without affecting integrity or availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date (July 19, 2025).

The primary impact of this vulnerability is unauthorized access to invoice data and the ability to generate invoices for arbitrary orders without authentication. While this does not directly compromise the integrity or availability of the system, it can lead to information disclosure of order details, potential financial discrepancies, and abuse of invoicing processes. Attackers could exploit this to create fraudulent invoices, causing confusion in financial records or enabling social engineering attacks against customers or staff. For e-commerce businesses relying on this plugin, this could undermine trust and lead to compliance issues related to data protection. The vulnerability's ease of exploitation and lack of required privileges increase the risk of opportunistic attacks, especially on sites that have not implemented additional access controls or monitoring.

To mitigate this vulnerability, organizations should immediately audit the authorization logic within the mrkv_vchasno_kasa_wc_do_metabox_action() function and implement strict capability checks to ensure only authenticated and authorized users can generate invoices. Until an official patch is released, administrators should consider disabling the Vchasno Kasa plugin or restricting access to the affected functionality via web application firewalls or custom code that enforces user authentication and role verification. Monitoring logs for unusual invoice generation activity can help detect exploitation attempts. Additionally, organizations should keep the plugin updated and subscribe to vendor or security mailing lists for timely patch releases. Employing a principle of least privilege for WordPress user roles and limiting plugin usage to trusted administrators can further reduce risk.