CVE-2025-9209
published 2025-10-03CVE-2025-9209: The RestroPress – Online Food Ordering System plugin for WordPress is vulnerable to Authentication Bypass in versions 3.0.0 to 3.1.9.2. This is due to the…
PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.20%
80.3th percentile
The RestroPress – Online Food Ordering System plugin for WordPress is vulnerable to Authentication Bypass in versions 3.0.0 to 3.1.9.2. This is due to the plugin exposing user private tokens and API data via the /wp-json/wp/v2/users REST API endpoint. This makes it possible for unauthenticated attackers to forge JWT tokens for other users, including administrators, and authenticate as them.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| magnigenie | restropress_online_food_ordering_system | 3.0.0 – 3.1.9.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.
- →Detect unauthenticated GET requests to /wp-json/rp/v1/auth with a user_id parameter — this is the exploit endpoint used to retrieve forged JWT tokens for arbitrary users. ↗
- →Alert on HTTP 200 responses from /wp-json/rp/v1/auth containing a JSON body with a 'token' field starting with 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.' — this indicates successful JWT token leakage. ↗
- →Monitor unauthenticated access to /wp-json/wp/v2/users — this endpoint leaks private tokens and API data enabling JWT forgery. ↗
- →Flag WordPress installations with the restropress plugin path present in HTTP responses as potentially vulnerable targets for scanning. ↗
- →Use regex '"token"\s*:\s*"(eyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+)"' on HTTP response bodies to extract and flag leaked JWT tokens from the RestroPress auth endpoint. ↗
- ·Affected versions are RestroPress 3.0.0 through 3.1.9.2; the Nuclei template targets up to 3.2.1 for version matching — verify the exact patched version boundary before deploying detections. ↗
- ·The exploit requires no authentication whatsoever — any unauthenticated network request to the auth endpoint is sufficient to retrieve a valid admin JWT token. ↗
- ·The JWT tokens are signed with HS512 (HMAC-SHA512); forged tokens using the leaked secret will appear cryptographically valid to the server. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
RestroPress 3.0.0-3.2.1 - Authentication Bypass
nuclei·CVSS 9.8
CVE-2025-9209 [CRITICAL] RestroPress 3.0.0-3.2.1 - Authentication Bypass
RestroPress 3.0.0-3.2.1 - Authentication Bypass
RestroPress Online Food Ordering System WordPress plugin 3.0.0 to 3.1.9.2 contains an authentication bypass caused by exposure of user private tokens and API data via /wp-json/wp/v2/users endpoint, letting unauthenticated attackers forge JWT tokens and authenticate as other users including administrators, exploit requires no authentication.
Template:
id: CVE-2025-9209
info:
name: RestroPress 3.0.0-3.2.1 - Authentication Bypass
author: 0x_Akoko
severity: critical
description: |
RestroPress Online Food Ordering System WordPress plugin 3.0.0 to 3.1.9.2 contains an authentication bypass caused by exposure of user private tokens and API data via /wp-json/wp/v2/users endpoint, letting unauthenticated attackers forge JWT tokens and authenticate
No writeups or analysis indexed.
2025-10-03
Published