CVE Vulnerabilities

CVE-2025-6688

Authentication Bypass Using an Alternate Path or Channel

Published: Jun 27, 2025 | Modified: Jul 02, 2025
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
root.io minimus.io echohq.com

The Simple Payment plugin for WordPress is vulnerable to Authentication Bypass in versions 1.3.6 to 2.3.8. This is due to the plugin not properly verifying a users identity prior to logging them in through the create_user() function. This makes it possible for unauthenticated attackers to log in as administrative users.

Weakness

A product requires authentication, but the product has an alternate path or channel that does not require authentication.

Affected Software

Name Vendor Start Version End Version
Simple_payment Idokd 1.3.6 (including) 2.3.9 (excluding)

Potential Mitigations

References