Authentication Bypass in Simple Payment Plugin for WordPress
CVE-2025-6688

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Simple Payment
Vendor: CVE Published:; 27 June 2025

What is CVE-2025-6688?

The Simple Payment plugin for WordPress contains a critical vulnerability allowing unauthenticated attackers to log in as administrative users. This issue arises from the inadequate verification of user identities during the login process utilizing the create_user() function. Versions 1.3.6 to 2.3.8 are particularly affected, which exposes sites to significant security risks if left unaddressed. Admins should update to the latest version immediately to remediate this vulnerability and protect sensitive site functions.

Affected Version(s)

Simple Payment 1.3.6 <= 2.3.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3318371/simp...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 27, 2025
Vulnerability Reserved
Jun 25, 2025

Credit

Kenneth Dunn