Threat Entry Updated 2025-07-25

CVE-2025-6214 - Omnishop Plugin

The Omnishop plugin for WordPress is vulnerable to Cross-Site Request Forgery on its /users/delete REST route in all versions up to, and including, 1.0.9. The route’s permission_callback only verifies that the requester is logged in, but fails to require any nonce or other proof of intent. This makes it possible for unauthenticated attackers to delete arbitrary user accounts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Omnishop

CVE-2025-6214

MEDIUM CVSS 6.5 2025-07-23

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-07-25

CVE-2025-6215 - Omnishop Plugin

The Omnishop plugin for WordPress is vulnerable to Unauthenticated Registration Bypass in all versions up to, and including, 1.0.9. Its /users/register endpoint is exposed to the public (permission_callback always returns true) and invokes wp_create_user() unconditionally, ignoring the site’s users_can_register option and any nonce or CAPTCHA checks. This makes it possible for unauthenticated attackers to create arbitrary user accounts (customer) on sites where registrations should be closed.

PLUGIN Omnishop

CVE-2025-6215

MEDIUM CVSS 5.3 2025-07-23

Risk Score

Open Full Technical Breakdown