Omnishop WordPress Plugin Cross-Site Request Forgery Vulnerability Allowing Arbitrary User Deletion

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Omnishop plugin for WordPress, affecting all versions through 1.0.9. The vulnerability exists on the '/users/delete' REST route, where the permission callback only checks if the requester is logged in, without requiring a nonce or any other proof of intent. This oversight allows unauthenticated attackers to delete any user account by tricking an administrator into clicking a link that sends a forged request.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of user accounts.

Added: Jul 23, 2025, 3:21 AM

Updated: Jul 23, 2025, 3:21 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.4

remediation

0.0

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.4

remediation

0.0

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Omnishop WordPress Plugin Cross-Site Request Forgery Vulnerability Allowing Arbitrary User Deletion

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating