CVE-2025-8570: 
WordPress vulnerability analysis and mitigation

The BeyondCart Connector plugin for WordPress contains a critical Privilege Escalation vulnerability (CVE-2025-8570) discovered in versions 1.4.2 through 2.1.0. The vulnerability was disclosed on September 11, 2025, and stems from improper JWT secret management and authorization within the determine_current_user filter. The plugin has been temporarily closed for security review as of September 10, 2025 (NVD, WordPress).

The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability can be exploited remotely with low attack complexity, requires no privileges or user interaction, and can result in high impacts to confidentiality, integrity, and availability. The vulnerability is classified under CWE-798 (Use of Hard-coded Credentials) (Wordfence).

The vulnerability allows unauthenticated attackers to craft valid tokens and assume any user's identity within the WordPress installation. This effectively bypasses authentication mechanisms and could lead to complete site compromise through privilege escalation (NVD).

The plugin has been temporarily closed and removed from the WordPress plugin repository pending a security review. Users are advised to disable and remove the BeyondCart Connector plugin until a patched version is released (WordPress).