CVE-2025-10294
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-15

Last updated on: 2025-10-16

Assigner: Wordfence

Description
The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is due to the plugin not properly checking if the ownid_shared_secret value is empty prior to authenticating a user via JWT. This makes it possible for unauthenticated attackers to log in as other users, including administrators, on instances where the plugin has not been fully configured yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-15
Last Modified
2025-10-16
Generated
2026-06-16
AI Q&A
2025-10-15
EPSS Evaluated
2026-06-14
NVD
CVE-2025-10294
EUVD
EUVD-2025-34544
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wordpress wordpress *
ownid passwordless_login *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the OwnID Passwordless Login WordPress plugin (up to version 1.3.4) is an authentication bypass issue. It occurs because the plugin does not properly check if the 'ownid_shared_secret' value is empty before authenticating a user via JWT. This flaw allows unauthenticated attackers to log in as other users, including administrators, especially on sites where the plugin has not been fully configured. [1]

Impact Analysis

This vulnerability can have severe impacts as it allows attackers to bypass authentication and gain unauthorized access to user accounts, including administrator accounts. This can lead to full site compromise, data theft, unauthorized changes, and loss of control over the WordPress site. [1]

Mitigation Strategies

To mitigate this vulnerability immediately, disable the OwnID Passwordless Login plugin on your WordPress site, clear autoload options from the database, and purge all caches including Redis, page, and browser caches. Additionally, manually clear browser cache and cookies if residual login issues persist. Avoid using the plugin on production sites until a secure update is released. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10294. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart