CVE-2025-10294
BaseFortify
Publication date: 2025-10-15
Last updated on: 2025-10-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wordpress | * |
| ownid | passwordless_login | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the OwnID Passwordless Login WordPress plugin (up to version 1.3.4) is an authentication bypass issue. It occurs because the plugin does not properly check if the 'ownid_shared_secret' value is empty before authenticating a user via JWT. This flaw allows unauthenticated attackers to log in as other users, including administrators, especially on sites where the plugin has not been fully configured. [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows attackers to bypass authentication and gain unauthorized access to user accounts, including administrator accounts. This can lead to full site compromise, data theft, unauthorized changes, and loss of control over the WordPress site. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, disable the OwnID Passwordless Login plugin on your WordPress site, clear autoload options from the database, and purge all caches including Redis, page, and browser caches. Additionally, manually clear browser cache and cookies if residual login issues persist. Avoid using the plugin on production sites until a secure update is released. [1]