CVE-2025-6214

MEDIUM 6.5

Omnishop <= 1.0.9 - Cross-Site Request Forgery to Arbitrary User Deletion via /users/delete REST Endpoint

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

The Omnishop plugin for WordPress is vulnerable to Cross-Site Request Forgery on its /users/delete REST route in all versions up to, and including, 1.0.9. The route’s permission_callback only verifies that the requester is logged in, but fails to require any nonce or other proof of intent. This makes it possible for unauthenticated attackers to delete arbitrary user accounts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE	CWE-352
Vendor	omnishop
Product	omnishop – mobile shop apps complementing your woocommerce webshop
Published	Jul 23, 2025
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for omnishop omnishop – mobile shop apps complementing your woocommerce webshop

Be the first to know when new medium vulnerabilities affecting omnishop omnishop – mobile shop apps complementing your woocommerce webshop are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

omnishop / Omnishop – Mobile shop apps complementing your WooCommerce webshop

0 ≤ 1.0.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/e7c936b8-3132-45e1-92ed-32ecdc9cbb1e?source=cve wordpress.org: https://wordpress.org/plugins/omnishop/#developers

Credits

ch4r0n