Description
The Omnishop plugin for WordPress is vulnerable to Cross-Site Request Forgery on its /users/delete REST route in all versions up to, and including, 1.0.9. The route’s permission_callback only verifies that the requester is logged in, but fails to require any nonce or other proof of intent. This makes it possible for unauthenticated attackers to delete arbitrary user accounts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-07-23
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary user deletion via CSRF
Action: Apply patch
AI Analysis

Impact

The Omnishop plugin for WordPress exposes an unsecured REST endpoint at /users/delete. The permission_callback performs only a generic logged‑in check, omitting the required nonce or other proof of intent. Consequently, any attacker who can force a logged‑in administrator to submit a crafted request can delete any user account without authentication. This can result in loss of user data, disruption of access control, and denial of service to functions that rely on the deleted accounts.

Affected Systems

The vulnerability is present in all Omnishop installations up to and including version 1.0.9. The affected product is the Omnishop plugin for WordPress, which provides mobile shop apps for WooCommerce webshops.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1 % suggests exploitation is likely rare. The flaw is not listed in the CISA KEV catalog. Attackers would require a social‑engineering step to get a logged‑in administrator to trigger the REST call, making the vector web‑based and user‑dependent. The root cause is the missing CSRF protection (CWE‑352).

Generated by OpenCVE AI on April 20, 2026 at 22:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Omnishop to a version newer than 1.0.9 to receive the vendor‑supplied CSRF guard for the /users/delete route.
  • If an immediate update is infeasible, block or disable the /users/delete REST route through a web‑application firewall rule or by removing the endpoint with a plugin filter, ensuring that only requests including a valid WordPress nonce are accepted.
  • Implement monitoring or audit logging for user deletion actions to detect anomalous activity and trigger alerts when an unexpected account removal occurs.

Generated by OpenCVE AI on April 20, 2026 at 22:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22400 The Omnishop plugin for WordPress is vulnerable to Cross-Site Request Forgery on its /users/delete REST route in all versions up to, and including, 1.0.9. The route’s permission_callback only verifies that the requester is logged in, but fails to require any nonce or other proof of intent. This makes it possible for unauthenticated attackers to delete arbitrary user accounts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Wed, 23 Jul 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 23 Jul 2025 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 23 Jul 2025 02:45:00 +0000

Type Values Removed Values Added
Description The Omnishop plugin for WordPress is vulnerable to Cross-Site Request Forgery on its /users/delete REST route in all versions up to, and including, 1.0.9. The route’s permission_callback only verifies that the requester is logged in, but fails to require any nonce or other proof of intent. This makes it possible for unauthenticated attackers to delete arbitrary user accounts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Omnishop <= 1.0.9 - Cross-Site Request Forgery to Arbitrary User Deletion via /users/delete REST Endpoint
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:26.839Z

Reserved: 2025-06-17T21:08:02.919Z

Link: CVE-2025-6214

cve-icon Vulnrichment

Updated: 2025-07-23T18:27:12.057Z

cve-icon NVD

Status : Deferred

Published: 2025-07-23T03:15:25.130

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6214

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:15:06Z

Weaknesses