CVE-2025-9209: 
WordPress vulnerability analysis and mitigation

The RestroPress – Online Food Ordering System plugin for WordPress contains an Authentication Bypass vulnerability (CVE-2025-9209) affecting versions 3.0.0 to 3.1.9.2. The vulnerability was discovered and disclosed on October 3, 2025. The plugin has been temporarily closed as of September 30, 2025, pending a full security review (NVD, WordPress Plugin).

The vulnerability stems from the plugin exposing user private tokens and API data through the /wp-json/wp/v2/users REST API endpoint. This security flaw has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability has been classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability allows unauthenticated attackers to forge JWT tokens for other users, including administrators, enabling them to authenticate as these users. This effectively bypasses the authentication system, potentially giving attackers full administrative access to the affected WordPress installations (NVD).

The WordPress plugin directory has temporarily closed the plugin as of September 30, 2025, pending a full security review. Users are advised to disable and remove the plugin until a security patch is available (WordPress Plugin).