Privilege Escalation in bSecure Plugin for WordPress
CVE-2025-6187

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Bsecure – Your Universal Checkout
Vendor: CVE Published:; 22 July 2025

What is CVE-2025-6187?

The bSecure plugin for WordPress is susceptible to a privilege escalation vulnerability due to inadequate authorization checks in its order_info REST endpoint. Versions 1.3.7 through 1.7.9 of the plugin have a permission callback that invariably returns true, allowing unauthenticated attackers to exploit the vulnerability. By knowing the email of any user, attackers can obtain a valid login cookie, enabling them to impersonate the user and access sensitive account information without authorization.

Affected Version(s)

bSecure – Your Universal Checkout 1.3.7 <= 1.7.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/bsecure/#developers

https://plugins.trac.wordpress.org/browser/bsecure/tags/1...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 22, 2025
Vulnerability Reserved
Jun 16, 2025

Credit

Kenneth Dunn