CVE-2025-6721 is a medium severity vulnerability affecting the MORKVA Vchasno Kasa Integration plugin for WordPress, developed by bandido. The vulnerability arises from a missing authorization check (CWE-862) in the function mrkv_vchasno_kasa_wc_do_metabox_action(), which is responsible for handling metabox actions related to invoice generation within the plugin. Due to the absence of proper capability verification, unauthenticated attackers can exploit this flaw to generate invoices for arbitrary orders without any authentication or user interaction. This vulnerability affects all versions of the plugin up to and including version 1.0.3. The CVSS 3.1 base score is 5.3, reflecting a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), limited confidentiality impact (C:L), and no impact on integrity or availability (I:N, A:N). Although no known exploits are currently reported in the wild and no patches have been published yet, the vulnerability poses a risk to the confidentiality of order-related data by allowing unauthorized invoice generation, which could lead to information disclosure or fraudulent activities. The plugin is used to integrate Vchasno Kasa functionalities into WordPress e-commerce environments, likely targeting Ukrainian or Eastern European markets given the product naming and origin. The vulnerability's exploitation requires only network access and can be performed remotely without authentication, increasing its risk profile for exposed WordPress sites using this plugin.

For European organizations, especially those using WordPress with the MORKVA Vchasno Kasa Integration plugin, this vulnerability can lead to unauthorized access to sensitive order data and the generation of fraudulent invoices. This could result in financial discrepancies, loss of customer trust, and potential regulatory compliance issues under GDPR due to unauthorized data exposure. Although the vulnerability does not directly affect data integrity or availability, the ability to generate invoices without authorization could be leveraged for fraud or to manipulate financial records. Organizations relying on this plugin for e-commerce operations may face operational disruptions if attackers exploit this flaw to create confusion or disputes over orders and billing. The medium severity indicates a moderate risk, but the lack of authentication requirement and ease of exploitation increase the urgency for mitigation. European businesses with online stores integrated with this plugin should be vigilant, as exploitation could also facilitate further attacks if combined with other vulnerabilities or social engineering tactics.

Given the absence of an official patch at this time, European organizations should implement immediate compensating controls. These include restricting access to the WordPress admin and plugin endpoints via web application firewalls (WAFs) or IP whitelisting to limit exposure to untrusted networks. Monitoring and logging all invoice generation activities for anomalies can help detect exploitation attempts early. Organizations should also review and harden WordPress user roles and permissions to ensure minimal privilege principles are enforced. Temporarily disabling or uninstalling the MORKVA Vchasno Kasa Integration plugin until a patch is released is advisable for high-risk environments. Additionally, network segmentation and limiting public exposure of WordPress administrative interfaces can reduce attack surface. Once a patch is available, prompt application is critical. Security teams should also educate staff about potential phishing or social engineering attempts that might leverage this vulnerability to escalate attacks.