CVE Details
Basic Information
| Title | Omnishop <= 1.0.9 - Missing Registration Restriction to Unauthenticated Account Creation via /users/register REST Endpoint |
|---|---|
| Type | cve |
| Published | 2025-07-23T02:24:37.162Z |
| Modified | 2025-07-23T02:24:37.162Z |
Product Information
| Vendor | omnishop |
|---|---|
| Product | Omnishop β Mobile shop apps complementing your WooCommerce webshop |
| Version | * |
CVSS Information
| Base Score | 5.3 (MEDIUM) |
|---|---|
| Attack Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
AI Analysis
| AI Description | The Omnishop WordPress plugin allows unauthenticated users to bypass registration restrictions, enabling them to create user accounts without proper authorization. This vulnerability could lead to unauthorized access and potential security risks for sites using the plugin. |
|---|---|
| AI Severity | Medium |
| AI Vendor | WordPress Community |
| AI Product | Omnishop |
| AI Version | 1.0.9 |
Affected Products
- omnishop Omnishop β Mobile shop apps complementing your WooCommerce webshop *
Additional Information
| CWE List | CWE-862 |
|---|---|
| Source | Wordfence |
Description
The Omnishop plugin for WordPress is vulnerable to Unauthenticated Registration Bypass in all versions up to, and including, 1.0.9. Its /users/register endpoint is exposed to the public (permission_callback always returns true) and invokes wp_create_user() unconditionally, ignoring the siteβs users_can_register option and any nonce or CAPTCHA checks. This makes it possible for unauthenticated attackers to create arbitrary user accounts (customer) on sites where registrations should be closed.