CVE-2025-9209

CVE-2025-9209 is an authentication bypass vulnerability affecting the RestroPress – Online Food Ordering System plugin for WordPress in versions 3.0.0 through 3.1.9.2. The flaw arises because the plugin exposes user private tokens and API data via the /wp-json/wp/v2/users REST API endpoint, allowing attackers to forge JSON Web Tokens (JWT) for other users, including administrators, and authenticate as them. It is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no privileges or user interaction required. By accessing the exposed endpoint, they can retrieve necessary data to craft valid JWT tokens impersonating any site user, including those with administrator privileges, thereby achieving high-impact unauthorized access to confidential data, modification of site content, and potential disruption of services.

Advisories and mitigation guidance are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/359833dd-de3c-48ea-8eef-06588a590da2?source=cve and the plugin's page on WordPress.org at https://wordpress.org/plugins/restropress/. The vulnerability was published on 2025-10-03T12:15:47.240.