cleantalk
Vulnerabilities and Security Researches

bSecure – Your Universal Checkout, CVE-2025-6187

CVE, Research URL

CVE-2025-6187

Home page URL

Security reports for bSecure – Your Universal Checkout

Application

bSecure – Your Universal Checkout

Published on
Jul 22, 2025
Research Description
The bSecure plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its order_info REST endpoint in versions 1.3.7 through 1.7.9. The plugin registers the /webhook/v2/order_info/ route with a permission_callback that always returns true, effectively bypassing all authentication. This makes it possible for unauthenticated attackers who know any user’s email to obtain a valid login cookie and fully impersonate that account.
Affected versions
Min -, max 1.3.7.
Status
vulnerable
Previous vulnerability researches
Vchasno Kasa (CVE-2025-6721) , Jul 19, 2025
Vchasno Kasa (CVE-2025-6720) , Jul 19, 2025
New vulnerability
CRM and Lead Management by vcita (CVE-2025-5240) , Jul 23, 2025
Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor (CVE-2025-4685) , Jul 23, 2025
Pixel Gallery Addons for Elementor – Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout, Portfolio Galle (CVE-2025-7644) , Jul 23, 2025
bSecure – Your Universal Checkout (CVE-2025-6187) , Jul 23, 2025
User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin (CVE-2025-6831) , Jul 23, 2025