CVE-2025-6215

CVE-2025-6215 is a medium-severity vulnerability with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-862.

Key facts

Description

The Omnishop plugin for WordPress is vulnerable to Unauthenticated Registration Bypass in all versions up to, and including, 1.0.9. Its /users/register endpoint is exposed to the public (permission_callback always returns true) and invokes wp_create_user() unconditionally, ignoring the site’s users_can_register option and any nonce or CAPTCHA checks. This makes it possible for unauthenticated attackers to create arbitrary user accounts (customer) on sites where registrations should be closed.

Frequently asked questions

What is CVE-2025-6215?
The Omnishop plugin for WordPress is vulnerable to Unauthenticated Registration Bypass in all versions up to, and including, 1.0.9. Its /users/register endpoint is exposed to the public (permission_callback always returns true) and invokes wp_create_user() unconditionally, ignoring the site’s users_can_register option and any nonce or CAPTCHA checks. This makes it possible for unauthenticated attackers to create arbitrary user accounts (customer) on sites where registrations should be closed.
How severe is CVE-2025-6215?
CVE-2025-6215 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability none.
Is CVE-2025-6215 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (18th percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2025-6215?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2025-6215 have an EU (EUVD) identifier?
Yes. CVE-2025-6215 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-22405.
When was CVE-2025-6215 published?
CVE-2025-6215 was published on 2025-07-23 and last updated on 2026-06-17.

References

Other CWE-862 (Missing Authorization) vulnerabilities

Browse all CWE-862 (Missing Authorization) vulnerabilities →