CVE-2025-6721 is a medium-severity vulnerability affecting the MORKVA Vchasno Kasa Integration plugin for WordPress, developed by bandido. The vulnerability arises from a missing authorization check in the function mrkv_vchasno_kasa_wc_do_metabox_action(), which is responsible for handling certain metabox actions related to invoice generation. Due to the absence of a capability check, unauthenticated attackers can invoke this function to generate invoices for arbitrary orders without any authentication or user interaction. This vulnerability is classified under CWE-862 (Missing Authorization), indicating that the system fails to enforce proper access control before allowing sensitive operations. The CVSS 3.1 base score is 5.3, reflecting a medium severity level, with an attack vector of network (remote), low attack complexity, no privileges required, and no user interaction needed. The impact primarily affects confidentiality, as attackers can access invoice data, but does not affect integrity or availability. No known exploits are currently reported in the wild, and no patches have been released yet. The vulnerability affects all versions up to and including 1.0.3 of the plugin. Since the plugin integrates with WordPress e-commerce environments, the flaw could be leveraged to obtain sensitive financial documents or manipulate order-related data visibility, potentially leading to information disclosure or fraud facilitation.

For European organizations using WordPress with the MORKVA Vchasno Kasa Integration plugin, this vulnerability poses a risk of unauthorized disclosure of invoice data. This could lead to leakage of customer purchase information, pricing details, and order histories, which may violate data protection regulations such as the GDPR. Although the vulnerability does not allow modification or deletion of data, the unauthorized generation of invoices can undermine trust and lead to financial or reputational damage. Organizations in sectors with high transaction volumes or sensitive customer data, such as retail, finance, or healthcare, are particularly at risk. Additionally, attackers could use the information gained to facilitate further targeted attacks or fraud. The lack of authentication requirements and ease of exploitation increase the likelihood of automated scanning and exploitation attempts, especially in environments where the plugin is widely deployed. The absence of patches means organizations must rely on mitigation strategies until an official fix is available.

European organizations should immediately audit their WordPress installations to identify the presence of the MORKVA Vchasno Kasa Integration plugin, especially versions up to 1.0.3. Until a patch is released, it is recommended to disable or uninstall the plugin to eliminate exposure. If disabling is not feasible, organizations should implement web application firewall (WAF) rules to block requests targeting the vulnerable function or suspicious invoice generation attempts. Restricting access to the WordPress admin area and metabox endpoints via IP whitelisting or VPN access can reduce exposure. Monitoring web server logs for unusual or repeated requests to the affected plugin endpoints can help detect exploitation attempts early. Organizations should also review user permissions and ensure that only trusted administrators have access to invoice generation features. Finally, maintain close communication with the plugin vendor for timely patch releases and apply updates promptly once available.