cbcvebase.
CVE-2025-9209
published 2025-10-03

CVE-2025-9209: The RestroPress – Online Food Ordering System plugin for WordPress is vulnerable to Authentication Bypass in versions 3.0.0 to 3.1.9.2. This is due to the…

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.20%
80.3th percentile
The RestroPress – Online Food Ordering System plugin for WordPress is vulnerable to Authentication Bypass in versions 3.0.0 to 3.1.9.2. This is due to the plugin exposing user private tokens and API data via the /wp-json/wp/v2/users REST API endpoint. This makes it possible for unauthenticated attackers to forge JWT tokens for other users, including administrators, and authenticate as them.

Affected

1 ranges
VendorProductVersion rangeFixed in
magnigenierestropress_online_food_ordering_system3.0.0 – 3.1.9.2

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/wp/v2/users
url/wp-json/rp/v1/auth?user_id=1
path/wp-content/plugins/restropress/
path/wp-content/plugins/restropress/readme.txt
bytes
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.
  • Detect unauthenticated GET requests to /wp-json/rp/v1/auth with a user_id parameter — this is the exploit endpoint used to retrieve forged JWT tokens for arbitrary users.
  • Alert on HTTP 200 responses from /wp-json/rp/v1/auth containing a JSON body with a 'token' field starting with 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.' — this indicates successful JWT token leakage.
  • Monitor unauthenticated access to /wp-json/wp/v2/users — this endpoint leaks private tokens and API data enabling JWT forgery.
  • Flag WordPress installations with the restropress plugin path present in HTTP responses as potentially vulnerable targets for scanning.
  • Use regex '"token"\s*:\s*"(eyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+)"' on HTTP response bodies to extract and flag leaked JWT tokens from the RestroPress auth endpoint.
  • ·Affected versions are RestroPress 3.0.0 through 3.1.9.2; the Nuclei template targets up to 3.2.1 for version matching — verify the exact patched version boundary before deploying detections.
  • ·The exploit requires no authentication whatsoever — any unauthenticated network request to the auth endpoint is sufficient to retrieve a valid admin JWT token.
  • ·The JWT tokens are signed with HS512 (HMAC-SHA512); forged tokens using the leaked secret will appear cryptographically valid to the server.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.