VYPR

Omnishop

by WordPress

Source repositories

CVEs (2)

  • CVE-2025-6214MedJul 23, 2025
    risk 0.42cvss 6.5epss 0.00

    The Omnishop plugin for WordPress is vulnerable to Cross-Site Request Forgery on its /users/delete REST route in all versions up to, and including, 1.0.9. The route’s permission_callback only verifies that the requester is logged in, but fails to require any nonce or other…

  • CVE-2025-6215MedJul 23, 2025
    risk 0.34cvss 5.3epss 0.00

    The Omnishop plugin for WordPress is vulnerable to Unauthenticated Registration Bypass in all versions up to, and including, 1.0.9. Its /users/register endpoint is exposed to the public (permission_callback always returns true) and invokes wp_create_user() unconditionally, …