Introduction
Attackers can gain full administrative access to WordPress sites running vulnerable versions of RestroPress, a widely used online food ordering plugin. This flaw directly exposes sensitive authentication tokens through a public API endpoint, enabling unauthenticated access to any user account, including administrators.
RestroPress is a WordPress plugin developed by Magnigenie, designed for restaurants and food businesses to manage online orders. With over 124,000 downloads and more than 1,000 active installations, it is a significant player in the food service tech space. Its user base consists largely of small to medium-sized businesses that rely on WordPress for e-commerce and customer engagement.
Technical Information
CVE-2025-9209 is caused by improper handling of sensitive user data within the RestroPress plugin for WordPress, specifically in versions 3.0.0 through 3.1.9.2. The core issue is that the plugin exposes private user tokens and API data via the /wp-json/wp/v2/users REST API endpoint. By default, this endpoint is accessible to unauthenticated users in WordPress installations.
The plugin does not adequately filter or restrict sensitive user meta fields when responding to API requests. As a result, attackers can enumerate users and extract private tokens or cryptographic material directly from the API response. Once an attacker has obtained these tokens, they can forge valid JSON Web Tokens (JWTs) for any user, including those with administrative privileges. This allows the attacker to bypass all authentication controls and gain full access to the WordPress site.
This vulnerability is categorized as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The exposure of authentication tokens is the direct root cause, and the exploitation path is straightforward due to the lack of access controls on the affected API endpoint.
Affected Systems and Versions
- Product: RestroPress – Online Food Ordering System plugin for WordPress
- Affected Versions: 3.0.0 through 3.1.9.2
- Vulnerable Configuration: Any WordPress installation with a vulnerable version of RestroPress enabled and the REST API accessible to unauthenticated users
Vendor Security History
Magnigenie, the developer of RestroPress, has a documented history of security issues in this plugin. Previous vulnerabilities include:
- CVE-2024-35719: Authenticated stored cross-site scripting (XSS) in versions up to 3.1.2.1
- CVE-2024-32449: Cross-site request forgery (CSRF) in order processing
- Multiple missing authorization and input validation issues
The vendor has released patches in response to disclosures but continues to experience recurring security problems, indicating ongoing challenges with secure development practices.