Omnishop WordPress Plugin Unauthenticated Registration Bypass Vulnerability

Vulnerability

A vulnerability allowing unauthenticated users to bypass registration restrictions has been identified in the Omnishop plugin for WordPress, affecting all versions through 1.0.9. The issue arises because the /users/register endpoint is publicly accessible and invokes the wp_create_user() function without any checks. This oversight ignores the site's user registration settings and bypasses nonce and CAPTCHA validations, enabling attackers to create user accounts on sites where registrations should be closed.

Impact

Exploitation of this vulnerability allows for the creation of user accounts with customer privileges, potentially leading to unauthorized access or actions within the affected WordPress site.

Added: Jul 23, 2025, 3:19 AM

Updated: Jul 23, 2025, 3:19 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

0.0

relevance

0.3

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

0.0

relevance

0.3

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Omnishop WordPress Plugin Unauthenticated Registration Bypass Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating