bSecure – Your Universal Checkout, CVE-2025-6187
- CVE, Research URL
- Application
- Published on
- Jul 22, 2025
- Research Description
- The bSecure plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its order_info REST endpoint in versions 1.3.7 through 1.7.9. The plugin registers the /webhook/v2/order_info/ route with a permission_callback that always returns true, effectively bypassing all authentication. This makes it possible for unauthenticated attackers who know any user’s email to obtain a valid login cookie and fully impersonate that account.
- Affected versions
-
Min -, max 1.3.7.
- Status
-
vulnerable
Previous vulnerability researches |
---|
WP Gravity Forms Insightly (56cb8480-1791-4990-8fc7-2cb98a10c207) , Jun 06, 2024 |