CVE-2025-10305
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-20

Last updated on: 2025-09-22

Assigner: Wordfence

Description
The Secure Passkeys plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_passkey() and passkeys_list() function in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and delete passkeys.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-20
Last Modified
2025-09-22
Generated
2026-06-16
AI Q&A
2025-10-21
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10305
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress secure-passkeys 1.2.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Secure Passkeys WordPress plugin allows authenticated users with Subscriber-level access or higher to view and delete passkeys due to missing capability checks on certain functions (delete_passkey() and passkeys_list()). Essentially, the plugin did not properly verify if a user had the right permissions before allowing these sensitive actions, enabling unauthorized access to passkeys. [1]

Impact Analysis

The vulnerability can lead to unauthorized users with low-level access viewing and deleting passkeys, which are used for authentication. This could compromise user accounts by allowing attackers to remove or manipulate authentication credentials, potentially leading to privilege escalation or account takeover. [1]

Detection Guidance

Detection of this vulnerability involves checking if the WordPress site is running the Secure Passkeys plugin version 1.2.1 or earlier, as these versions lack proper permission checks. You can verify the plugin version via the WordPress admin dashboard or by inspecting the plugin files. Additionally, monitoring for unauthorized AJAX POST requests to the plugin's endpoints (such as secure-passkeys-adminarea-ajax.php or secure-passkeys-frontend-ajax.php) from users with Subscriber-level access or above may indicate exploitation attempts. Specific commands to check plugin version on the server include: 1) Using WP-CLI: `wp plugin list | grep secure-passkeys` to see the installed version. 2) Searching web server logs for suspicious POST AJAX requests to the plugin's PHP files, e.g., `grep 'POST.*secure-passkeys' /var/log/apache2/access.log` or equivalent. However, no explicit detection commands are provided in the resources. [1]

Mitigation Strategies

The immediate mitigation step is to update the Secure Passkeys WordPress plugin to version 1.2.2 or later, which includes enhanced permission checks and fixes the vulnerability. This update enforces strict access control, nonce verification, and capability checks to prevent unauthorized users from viewing or deleting passkeys. Until the update is applied, restrict access to users with higher privileges and monitor for suspicious activity related to passkey management endpoints. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10305. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart