{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-29T06:49:44.003","vulnerabilities":[{"cve":{"id":"CVE-2025-6187","sourceIdentifier":"security@wordfence.com","published":"2025-07-22T10:15:25.607","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"The bSecure plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its order_info REST endpoint in versions 1.3.7 through 1.7.9. The plugin registers the /webhook/v2/order_info/ route with a permission_callback that always returns true, effectively bypassing all authentication. This makes it possible for unauthenticated attackers who know any user’s email to obtain a valid login cookie and fully impersonate that account."},{"lang":"es","value":"El complemento bSecure para WordPress es vulnerable a la escalada de privilegios debido a la falta de autorización en su endpoint REST order_info en las versiones 1.3.7 a 1.7.9. El complemento registra la ruta /webhook/v2/order_info/ con un permission_callback que siempre devuelve verdadero, omitiendo así toda autenticación. Esto permite que atacantes no autenticados que conozcan el correo electrónico de cualquier usuario obtengan una cookie de inicio de sesión válida y suplanten esa cuenta."}],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"security@wordfence.com","type":"Secondary","description":[{"lang":"en","value":"CWE-862"}]}],"references":[{"url":"https://plugins.trac.wordpress.org/browser/bsecure/tags/1.7.9/includes/class-bsecure-checkout.php","source":"security@wordfence.com"},{"url":"https://plugins.trac.wordpress.org/browser/bsecure/tags/1.7.9/includes/class-wc-bsecure.php","source":"security@wordfence.com"},{"url":"https://wordpress.org/plugins/bsecure/#developers","source":"security@wordfence.com"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/f8f51029-0748-4943-b0ef-fc822b14614a?source=cve","source":"security@wordfence.com"}]}}]}