CVE-2025-8570 CRITICAL

CVE-2025-8570: BeyondCart Connector <= 3.0.1 - Missing Configuration of JWT Secret to Unauthenticated Privilege Escalation via determine_current_user Filter

Vendor Beyondcart
Product BeyondCart Connector
Weakness CWE-798 · Hardcoded credentials
Published September 11, 2025
Last update April 8, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The BeyondCart Connector plugin for WordPress is vulnerable to Privilege Escalation due to improper JWT secret management and authorization within the determine_current_user filter in versions 1.4.2 through 3.0.1. This makes it possible for unauthenticated attackers to craft valid tokens and assume any user’s identity.

Explanation of Vulnerability in Simple Terms

02Summary

BeyondCart Connector versions 3.0.1 and earlier contain hardcoded credentials or similar authentication bypass vulnerability. An attacker on the network can gain full control of the connector without authentication, reading sensitive data, modifying settings, or disrupting service. No user interaction or special privileges are required.

What an attacker can do

03Attacker Capabilities

Read sensitive data, modify connector settings, or disrupt service without any authentication.

Potential impact on your site

04Site Impact

Attackers can access and modify your BeyondCart integration, potentially exposing customer data or disrupting e-commerce operations.

Conditions required to exploit

05Prerequisites

Network access to the BeyondCart Connector; no authentication or user interaction required.

Key dates

06Disclosure timeline

September 11, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE