CVE-2025-9209 | The RestroPress – Online Food Ordering System plugin for Wor… | CVSS 9.8 CRITICAL

Description

The RestroPress – Online Food Ordering System plugin for WordPress is vulnerable to Authentication Bypass in versions 3.0.0 to 3.1.9.2. This is due to the plugin exposing user private tokens and API data via the /wp-json/wp/v2/users REST API endpoint. This makes it possible for unauthenticated attackers to forge JWT tokens for other users, including administrators, and authenticate as them.

Metadata

CVE ID: CVE-2025-9209
State: PUBLISHED
Assigner: Wordfence
Reserved: 2025-08-19 18:58 UTC
Published: 2025-10-03 11:17 UTC
Last updated: 2025-10-03 18:02 UTC
Primary CWE: CWE-200
CWE-200 Exposure of Sensitive Information to an Unauthorized…
Vendor / Product: magnigenie / RestroPress – Online Food Ordering System
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
magnigenie	RestroPress – Online Food Ordering System	—	3.0.0 ≤ 3.1.9.2

Weakness (CWE)

CWE	Source	Description
CWE-200	cna	CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (2)