CVE-2025-6214: 
WordPress vulnerability analysis and mitigation

The Omnishop plugin for WordPress (versions up to 1.0.9) contains a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2025-6214. The vulnerability was discovered and reported by Wordfence on July 22, 2025. The issue affects the plugin's /users/delete REST route, where the permission verification system only checks if the user is logged in without implementing proper CSRF protection mechanisms (NVD).

The vulnerability stems from inadequate security controls in the permission_callback function of the /users/delete REST route. The function only verifies user authentication status but fails to implement nonce verification or other intent validation mechanisms. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, indicating network accessibility, low attack complexity, and high impact on integrity (NVD).

If successfully exploited, this vulnerability allows unauthenticated attackers to delete arbitrary user accounts from the WordPress installation. The attack requires user interaction, typically in the form of tricking a site administrator into clicking a malicious link. The impact primarily affects the integrity of the system by allowing unauthorized deletion of user accounts (NVD).

The plugin has been temporarily closed for download as of July 21, 2025, pending a full security review. Site administrators using affected versions should consider disabling the plugin until a patched version is available (WordPress Plugin).