CVE-2025-6214
Expert Analysis
Professional remediation guidance
Get tailored security recommendations from our analyst team for CVE-2025-6214. We'll provide specific mitigation strategies based on your environment and risk profile.
CVSS Score
V3.1Attack Vector Metrics
Impact Metrics
Description
The Omnishop plugin for WordPress is vulnerable to Cross-Site Request Forgery on its /users/delete REST route in all versions up to, and including, 1.0.9. The route’s permission_callback only verifies that the requester is logged in, but fails to require any nonce or other proof of intent. This makes it possible for unauthenticated attackers to delete arbitrary user accounts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Available Exploits
Related News
Affected Products
Affected Versions:
EU Vulnerability Database
Monitored by ENISA for EU cybersecurity
ENISA Analysis
The Omnishop plugin for WordPress is vulnerable to Cross-Site Request Forgery on its /users/delete REST route in all versions up to, and including, 1.0.9. The route’s permission_callback only verifies that the requester is logged in, but fails to require any nonce or other proof of intent. This makes it possible for unauthenticated attackers to delete arbitrary user accounts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected Products (ENISA)
ENISA Scoring
CVSS Score (3.1)
EPSS Score
ENISA References
Data provided by ENISA EU Vulnerability Database. Last updated: July 23, 2025
GitHub Security Advisories
Community-driven vulnerability intelligence from GitHub
Advisory Details
CVSS Scoring
CVSS Score
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
References
Advisory provided by GitHub Security Advisory Database. Published: July 23, 2025, Modified: July 23, 2025