Introduction
Attackers are actively impersonating WordPress users and administrators on thousands of e-commerce sites by abusing a critical flaw in the bSecure plugin. This vulnerability allows anyone who knows a user's email address to gain full access to that account, including administrator privileges, without authentication. The impact is immediate and severe for any site running affected versions of bSecure.
About bSecure: bSecure is a universal checkout and authentication plugin for WordPress, widely adopted by e-commerce businesses. With over 200,000 active installations, it is a key component in many online stores' payment workflows. Its integration with WooCommerce and other platforms makes it a high-value target for attackers seeking access to sensitive customer and order data.
Technical Information
The vulnerability (CVE-2025-6187) is a missing authorization flaw in the bSecure plugin's REST API implementation. Specifically, the plugin registers the /webhook/v2/order_info/
endpoint with a permission_callback
that always returns true
. This disables all authentication and authorization for the endpoint, allowing any unauthenticated user to interact with it.
Vulnerable Code Pattern
register_rest_route('webhook/v2', '/order_info/', [ 'methods' => 'GET', 'callback' => 'get_order_info', 'permission_callback' => '__return_true' // Unconditional access ]);
Exploitation Flow
-
The attacker identifies or guesses a valid email address of a user on the target WordPress site.
-
The attacker sends a GET request to the vulnerable endpoint:
GET /wp-json/webhook/v2/order_info?email=<victim_email>
-
The endpoint responds with a valid authentication cookie for the specified user.
-
The attacker uses this cookie to impersonate the user, gaining full access to their account. If the targeted user is an administrator, the attacker can take over the entire site.
This flaw is classified as CWE-862 (Missing Authorization) and results from a fundamental misconfiguration of the REST API's security model. WordPress REST API endpoints are required to use permission_callback
to enforce granular access control. By returning true
unconditionally, the plugin exposes sensitive functionality to the public.
Attack Vectors
- Any unauthenticated user can exploit the flaw if they know or can guess a valid user email.
- Attackers can chain this vulnerability with other flaws (such as SQL injection) to enumerate user emails and automate mass account takeovers.
Affected Systems and Versions
- Product: bSecure WordPress plugin
- Affected Versions: 1.3.7 through 1.7.9 (inclusive)
- Vulnerable Configuration: Any WordPress installation with the bSecure plugin enabled and accessible REST API endpoints
Vendor Security History
bSecure has experienced multiple critical vulnerabilities in 2025, including:
- CVE-2025-52830: SQL injection in earlier versions
- CVE-2025-6187: This privilege escalation flaw
There is no evidence of a formal security response process or timely patching for these issues. As of July 22, 2025, CVE-2025-6187 remains unpatched, and the vendor has not issued public advisories or mitigation guidance. This pattern indicates gaps in secure development practices and incident response.
References
- NVD CVE-2025-6187
- Wordfence Threat Intelligence: bSecure
- bSecure Plugin Source: class-bsecure-checkout.php
- bSecure Plugin Source: class-wc-bsecure.php
- WordPress Plugin Directory: bSecure
- Wordfence CVE Advisory
- CWE-862: Missing Authorization
Source: This report was created using AI
If you have suggestions for improvement or feedback, please reach out to us at [email protected]