The vulnerability identified as CVE-2025-9209 affects the RestroPress – Online Food Ordering System plugin for WordPress, specifically versions 3.0.0 through 3.1.9.2. This plugin exposes sensitive user private tokens and API data via the /wp-json/wp/v2/users REST API endpoint, which is publicly accessible without authentication. Due to this exposure, attackers can retrieve private tokens and subsequently forge JSON Web Tokens (JWTs) for arbitrary users, including those with administrative privileges. This authentication bypass allows attackers to impersonate any user, granting them unauthorized access to the system. The vulnerability stems from improper access control and information exposure (CWE-200). The CVSS 3.1 base score of 9.8 reflects the vulnerability’s critical nature, with network attack vector, no required privileges, no user interaction, and full impact on confidentiality, integrity, and availability. Although no known exploits have been reported in the wild, the ease of exploitation and the critical impact make this a severe threat. The lack of available patches increases the urgency for organizations to implement interim mitigations. The vulnerability compromises the core security model of the plugin, threatening user data confidentiality and system integrity, and potentially enabling full system takeover by attackers.

The impact of CVE-2025-9209 is severe for organizations using the RestroPress plugin. Attackers can gain unauthorized administrative access, allowing them to manipulate orders, steal sensitive customer data, alter pricing or menu information, and disrupt service availability. This can lead to financial losses, reputational damage, and regulatory compliance violations, especially concerning customer data privacy. The exposure of private tokens also risks broader WordPress site compromise, potentially affecting other plugins and site components. For businesses relying on online food ordering, this could result in operational disruption and loss of customer trust. Given the critical nature of the vulnerability and the lack of patches, the threat extends to all organizations using affected versions, regardless of size or geography. The ability to forge JWT tokens without authentication significantly lowers the barrier for attackers, increasing the likelihood of exploitation once public details become widespread.

Until an official patch is released, organizations should take immediate steps to mitigate the risk. First, disable or uninstall the vulnerable RestroPress plugin versions 3.0.0 to 3.1.9.2 if possible. If the plugin is essential, restrict access to the /wp-json/wp/v2/users REST API endpoint by implementing IP whitelisting or authentication requirements at the web server or application firewall level. Monitor logs for unusual JWT token creation or usage patterns, and implement anomaly detection on REST API requests. Enforce strong password policies and consider multi-factor authentication for WordPress administrator accounts to reduce the impact of compromised credentials. Regularly back up site data and configurations to enable rapid recovery. Stay alert for vendor updates or patches and apply them promptly once available. Additionally, conduct a thorough security audit of WordPress installations to identify any signs of compromise related to this vulnerability.