CVE-2025-9209 Overview
CVE-2025-9209 is an authentication bypass vulnerability in the RestroPress – Online Food Ordering System plugin for WordPress. The flaw affects versions 3.0.0 through 3.1.9.2. The plugin exposes user private tokens and API data through the /wp-json/wp/v2/users REST API endpoint. Unauthenticated attackers can harvest these tokens and forge JSON Web Tokens (JWTs) for any registered user, including administrators. Successful exploitation grants full administrative control over the affected WordPress site. The vulnerability is classified under [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor.
Critical Impact
Unauthenticated attackers can forge JWT tokens for administrators and gain full control of vulnerable WordPress sites running RestroPress.
Affected Products
- RestroPress – Online Food Ordering System plugin for WordPress version 3.0.0
- RestroPress plugin versions 3.0.1 through 3.1.9.1
- RestroPress plugin version 3.1.9.2
Discovery Timeline
- 2025-10-03 - CVE-2025-9209 published to the National Vulnerability Database (NVD)
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-9209
Vulnerability Analysis
The RestroPress plugin extends the WordPress REST API to support its food ordering workflow. Its handler for /wp-json/wp/v2/users returns user objects that include sensitive private fields, specifically per-user API tokens used to sign JWTs. The endpoint does not require authentication, and the response payload does not filter token material before serialization.
An attacker queries the endpoint and retrieves the secret material for every user account on the site. With that material, the attacker constructs a valid JWT bearing the user_id of any chosen account. The plugin's JWT verification routine accepts the forged token because it was signed with the legitimate per-user secret. The session inherits the privileges of the targeted account.
When the targeted account is an administrator, the attacker gains the ability to install plugins, modify content, create new admin users, and execute arbitrary PHP through theme or plugin upload flows. This converts a read-only information disclosure into full site takeover and downstream remote code execution.
Root Cause
The root cause is improper output filtering in the REST API user controller. Private fields such as JWT signing tokens are stored alongside public profile fields and are not stripped before the response is returned. Combined with the absence of an authentication or capability check on the route, any anonymous HTTP client can read them.
Attack Vector
Exploitation requires only network access to the WordPress site. The attacker issues an unauthenticated GET request to /wp-json/wp/v2/users, parses the returned JSON to extract each user's token and identifier, then constructs a signed JWT and submits it through the plugin's authenticated endpoints. No user interaction or prior credentials are required.
No verified public proof-of-concept code is available. Refer to the Wordfence Vulnerability Report for additional technical detail.
Detection Methods for CVE-2025-9209
Indicators of Compromise
- Unauthenticated GET requests to /wp-json/wp/v2/users from external IP addresses, particularly requests that return non-empty JSON arrays.
- Authenticated REST API calls immediately following anonymous enumeration requests from the same source IP or user agent.
- Creation of new WordPress administrator accounts, role changes, or plugin/theme installations that do not correlate with legitimate admin sessions.
- Presence of the RestroPress plugin at a version between 3.0.0 and 3.1.9.2 inclusive.
Detection Strategies
- Inspect web server access logs for requests to /wp-json/wp/v2/users and alert when the response size indicates token fields are being returned.
- Correlate REST API token usage with the IP address that previously queried the users endpoint to identify forged session activity.
- Run automated plugin inventory scans against managed WordPress instances to flag vulnerable RestroPress versions.
Monitoring Recommendations
- Forward WordPress audit logs and web server logs to a central SIEM or data lake for retention and correlation.
- Monitor changes to the wp_users and wp_usermeta tables for unexpected administrator additions or capability changes.
- Alert on file modifications under wp-content/plugins/ and wp-content/themes/ that occur outside of approved maintenance windows.
How to Mitigate CVE-2025-9209
Immediate Actions Required
- Update the RestroPress plugin to a fixed version released after 3.1.9.2 as soon as the vendor publishes a patch.
- Restrict public access to /wp-json/wp/v2/users at the web server or WAF layer until the plugin is upgraded.
- Rotate any JWT signing material and reset passwords for all WordPress accounts, prioritizing administrators.
- Audit administrator accounts and remove any unrecognized users created since the plugin was installed.
Patch Information
Consult the official RestroPress plugin page on WordPress.org for the latest release and changelog. Apply the vendor-supplied update to a version higher than 3.1.9.2. After patching, verify that requests to /wp-json/wp/v2/users no longer expose private token fields.
Workarounds
- Deploy a Web Application Firewall (WAF) rule blocking unauthenticated requests to /wp-json/wp/v2/users.
- Disable the RestroPress plugin until a fixed version is installed if the site can tolerate the loss of online ordering functionality.
- Restrict REST API access using a plugin or functions.php filter that requires authentication on the users route.
# Example nginx rule to block unauthenticated access to the users REST endpoint
location ~ ^/wp-json/wp/v2/users {
if ($http_authorization = "") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
