CVE-2025-10305
BaseFortify
Publication date: 2025-09-20
Last updated on: 2025-09-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | secure-passkeys | 1.2.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Secure Passkeys WordPress plugin allows authenticated users with Subscriber-level access or higher to view and delete passkeys due to missing capability checks on certain functions (delete_passkey() and passkeys_list()). Essentially, the plugin did not properly verify if a user had the right permissions before allowing these sensitive actions, enabling unauthorized access to passkeys. [1]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized users with low-level access viewing and deleting passkeys, which are used for authentication. This could compromise user accounts by allowing attackers to remove or manipulate authentication credentials, potentially leading to privilege escalation or account takeover. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the WordPress site is running the Secure Passkeys plugin version 1.2.1 or earlier, as these versions lack proper permission checks. You can verify the plugin version via the WordPress admin dashboard or by inspecting the plugin files. Additionally, monitoring for unauthorized AJAX POST requests to the plugin's endpoints (such as secure-passkeys-adminarea-ajax.php or secure-passkeys-frontend-ajax.php) from users with Subscriber-level access or above may indicate exploitation attempts. Specific commands to check plugin version on the server include: 1) Using WP-CLI: `wp plugin list | grep secure-passkeys` to see the installed version. 2) Searching web server logs for suspicious POST AJAX requests to the plugin's PHP files, e.g., `grep 'POST.*secure-passkeys' /var/log/apache2/access.log` or equivalent. However, no explicit detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Secure Passkeys WordPress plugin to version 1.2.2 or later, which includes enhanced permission checks and fixes the vulnerability. This update enforces strict access control, nonce verification, and capability checks to prevent unauthorized users from viewing or deleting passkeys. Until the update is applied, restrict access to users with higher privileges and monitor for suspicious activity related to passkey management endpoints. [1]