## https://sploitus.com/exploit?id=FC7CA8E5-7335-592D-A09A-12A7400B94DC
# CVE-2025-9209 – RestroPress Unauthenticated API Key & Token Exposure
## 📌 Overview
**CVE-2025-9209** is a critical information disclosure vulnerability in the **RestroPress** WordPress plugin (versions 3.0.0 – 3.1.9.2).
It allows an unauthenticated attacker to retrieve private API keys, public keys, and JWT tokens for all WordPress users via the built‑in REST API endpoint `/wp-json/wp/v2/users`.
With these credentials, an attacker can fully impersonate any user – including administrators – and gain complete control over the RestroPress e‑commerce data (customers, orders, menu items, coupons, etc.).
**CVSS Score:** 8.8 (High)
**CWE:** CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)
**Patched version:** RestroPress 3.2.2 (March 2025)
---
## ⚙️ How the Exploit Works
1. Attacker sends a `GET` request to the public endpoint:
`https://target.com/wp-json/wp/v2/users?per_page=100`
2. The response contains the `_rp_api_user_private_key`, `_rp_api_user_public_key`, and `_rp_api_user_token_key` for each user.
3. Attacker extracts the **JWT token** and **public key**.
4. Using these, the attacker can authenticate to any RestroPress REST API endpoint (e.g., `/wp-json/rp/v1/customers`, `/wp-json/rp/v1/orders`) with the following headers:
- `Authorization: Bearer `
- `X-API-Key: `
- `X-User-ID: `
5. Successful authentication grants full CRUD access to all RestroPress data.
---
## 🧪 Lab Setup (Test Environment)
| Component | Details |
|------------------------|-------------------------------------------------------------------------|
| **Target** | Windows 11 VM running XAMPP + WordPress + RestroPress 3.1.9.2 |
| **Attacker** | Kali Linux VM (Python3, curl) |
| **Network** | Host‑only adapter (192.168.100.0/24) |
### Target Setup (Windows 11)
1. Install XAMPP, start Apache & MySQL.
2. Download WordPress, install in `C:\xampp\htdocs\wordpress`.
3. Install **RestroPress 3.1.9.2** (from WordPress plugin archive) and activate.
4. Generate API keys for a user (WordPress admin → Users → Profile → RestroPress API Keys → Generate New API Keys).
5. Ensure the REST API endpoint returns non‑empty fields:
`curl http://localhost/wordpress/wp-json/wp/v2/users?per_page=100`
### Attacker Setup (Kali)
```bash
git clone https://github.com/Nxploited/CVE-2025-9209.git
cd CVE-2025-9209
echo "192.168.100.10/wordpress" > targets.txt