CVE-2025-6187: 
WordPress vulnerability analysis and mitigation

The bSecure plugin for WordPress contains a privilege escalation vulnerability (CVE-2025-6187) discovered in versions 1.3.7 through 1.7.9. The vulnerability was disclosed on July 22, 2025. The issue affects the orderinfo REST endpoint which has a permissioncallback that always returns true, effectively bypassing all authentication mechanisms (NVD).

The vulnerability stems from a missing authorization check within the plugin's /webhook/v2/orderinfo/ route. The permissioncallback function for this endpoint is improperly configured to always return true, which completely bypasses the WordPress authentication system. This implementation flaw has been assigned a CVSS v3.1 base score of 9.8 CRITICAL with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating the highest severity level (NVD).

The vulnerability allows unauthenticated attackers who know any user's email address to obtain a valid login cookie and fully impersonate that account. This means attackers can gain unauthorized access to user accounts and potentially perform any actions available to the compromised user account (NVD).

The plugin has been temporarily closed as of July 21, 2025, pending a full security review. Users are advised to disable and uninstall the plugin until a patched version is released (WordPress Plugin).