CVE-2025-6688: 
WordPress vulnerability analysis and mitigation

The Simple Payment plugin for WordPress contains an Authentication Bypass vulnerability (CVE-2025-6688) affecting versions 1.3.6 to 2.3.8. The vulnerability was discovered and disclosed on June 26, 2025, and was assigned a CVSS v3.1 score of 9.8 (Critical). The issue affects the WordPress plugin's user authentication mechanism (NVD, Wiz).

The vulnerability stems from improper user identity verification in the create_user() function. This security flaw allows unauthenticated attackers to bypass authentication controls and gain administrative access to the WordPress installation. The vulnerability has been assigned CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and received a Critical CVSS v3.1 base score of 9.8 with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (Wordfence).

The vulnerability allows unauthenticated attackers to gain unauthorized administrative access to WordPress installations running the affected versions of the Simple Payment plugin. This could lead to complete compromise of the WordPress site, as administrative access grants full control over the website's content, settings, and functionality (NVD).

Users are advised to update to Simple Payment plugin version 2.3.9 or later, which contains the security fix for this vulnerability. The fix has been implemented in the plugin's authentication mechanism as evidenced by the changelog (WordPress Plugin).