RestroPress WordPress Plugin CVE-2025-9209: Brief Summary of Critical Authentication Bypass

A brief summary of CVE-2025-9209, a critical authentication bypass in RestroPress for WordPress (versions 3.0.0 to 3.1.9.2). This post covers technical details, affected versions, vendor security history, and key references.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-03

RestroPress WordPress Plugin CVE-2025-9209: Brief Summary of Critical Authentication Bypass
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers can gain full administrative access to WordPress sites running vulnerable versions of RestroPress, a widely used online food ordering plugin. This flaw directly exposes sensitive authentication tokens through a public API endpoint, enabling unauthenticated access to any user account, including administrators.

RestroPress is a WordPress plugin developed by Magnigenie, designed for restaurants and food businesses to manage online orders. With over 124,000 downloads and more than 1,000 active installations, it is a significant player in the food service tech space. Its user base consists largely of small to medium-sized businesses that rely on WordPress for e-commerce and customer engagement.

Technical Information

CVE-2025-9209 is caused by improper handling of sensitive user data within the RestroPress plugin for WordPress, specifically in versions 3.0.0 through 3.1.9.2. The core issue is that the plugin exposes private user tokens and API data via the /wp-json/wp/v2/users REST API endpoint. By default, this endpoint is accessible to unauthenticated users in WordPress installations.

The plugin does not adequately filter or restrict sensitive user meta fields when responding to API requests. As a result, attackers can enumerate users and extract private tokens or cryptographic material directly from the API response. Once an attacker has obtained these tokens, they can forge valid JSON Web Tokens (JWTs) for any user, including those with administrative privileges. This allows the attacker to bypass all authentication controls and gain full access to the WordPress site.

This vulnerability is categorized as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The exposure of authentication tokens is the direct root cause, and the exploitation path is straightforward due to the lack of access controls on the affected API endpoint.

Affected Systems and Versions

  • Product: RestroPress – Online Food Ordering System plugin for WordPress
  • Affected Versions: 3.0.0 through 3.1.9.2
  • Vulnerable Configuration: Any WordPress installation with a vulnerable version of RestroPress enabled and the REST API accessible to unauthenticated users

Vendor Security History

Magnigenie, the developer of RestroPress, has a documented history of security issues in this plugin. Previous vulnerabilities include:

  • CVE-2024-35719: Authenticated stored cross-site scripting (XSS) in versions up to 3.1.2.1
  • CVE-2024-32449: Cross-site request forgery (CSRF) in order processing
  • Multiple missing authorization and input validation issues

The vendor has released patches in response to disclosures but continues to experience recurring security problems, indicating ongoing challenges with secure development practices.

References

Detect & fix
what others miss